IWSS - Java developer's nightmare

InterScan Web Security Suite, abbreviated IWSS, it is said to be a comprehensive solution tailored for large corporate deployment. Product of Trend Micro, IWSS scans every HTTP access from a corporate's intranet onto the great internet. Unfortunately, it assumes that every .jar file accessed by a corporate's intranet is a java applet, therefore it naively apply bytecode manipulation on it, making a dialog box pops up every time the class in the jar file access something in the host OS. Like accessing a file in Eclipse's plug-ins folder. Like accessing a file in the Local Settings folder.


Why does it have to be like this? When does an antivirus company, allowed to do manipulations that in the past only done by virus? Let me explain. A jar file is an JVM executable. I downloaded tens if not over a hundred jar files from the internet, because Eclipse's update mechanism is just like that- by downloading jar files from the Internet. IWSS tampered with them, modified them.. it modified the executables so I could no longer expect the original behaviour of them. It ruins tens if not hundreds of jar files in my two laptops, which I must cleanup now. Virus in the past also did something similar to this. Exe files were modified by viruses, its header altered to call the virus body attached in the end of the exe file before calling the original entry point of the executable.
Please. I don't think that there is any reason for an antivirus company to behave like a virus. For the damages that already done, I think Trend Micro must provide its users a cleanup tool, a tool that could scan a harddisk for altered jar files, with com.iwss package in it, and modified them to normal, un-applying the bytecode manipulation said before. It is similar to virus cleanup tool, no?
I don't think Trend Micro has done everything they could to detect whether the JAR file is an applet or not. Oh, I see, they seem just UNABLE to do that. I wonder if they were UNABLE to create such bytecode transformation I said in the previous paragraph.

Comments

eric said…
Thanks for your post! I had no idea what happend to my jars until I found your complaints!
March 4, 2010 at 11:51 AM
Post a Comment

Popular posts from this blog

Long running process in Linux using PHP

Background To do stuff, I usually create web-based applications written in PHP. Sometimes we need to run something that takes a long time, far longer than the 10 second psychological limit for web pages. A bit of googling in stack overflow found us this  http://stackoverflow.com/questions/2212635/best-way-to-manage-long-running-php-script , but I will tell the similar story with a different solution. One of the long running tasks that need to be run is a Pentaho data integration transformation. Difficulties in long running PHP scripts I encountered some problems when trying to make PHP do long running tasks : PHP script timeout. This could be solved by running set_time_limit(0); before the long running tasks. Memory leaks. The framework I normally use have a bit of memory issues, this can be solved either by patching the framework (ok, it is a bit difficult to do, but I did something similar in the past ) or splitting the data to process into several batches. And if you
Read more

Reverse Engineering Reptile Kernel module to Extract Authentication code

Image
 This time I will show how to (partially) reverse engineer a linux kernel module. The linux kernel module is larger than usual kernel module because it is actually a Reptile-based rootkit dropped by some hacker.  Part 1. Get basic module information First we gather basic module info by using modinfo : [root@lb lkrg-0.9.1]# modinfo falc0n filename:       /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n.ko intree:         Y license:         GPL retpoline:       Y rhelversion:     7.8 srcversion:     81F508029A53F7490CCDB44 depends:         vermagic:       3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversions   We could also refer to the kernel module file not yet installed in the OS : [root@lb lkrg-0.9.1]# file falc0n.ko falc0n.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=1bde6abf4732eb620983032a47fbcf07689ece11, not stripped [root@lb lkrg-0.9.1]# modinfo falc0n.ko filename:       /root/lkrg-0.9.1/falc0n.ko intree:         Y license:         GPL retp
Read more

SAP System Copy Lessons Learned

Image
Background Earlier this year I was part of a team that does System Copy for a 20 terabyte plus SAP ERP RM-CA System. And just now I am involved in doing two system copy in just over one week, for much lesser amount of data. I think I would note some lessons learned from the experience in this blog. For the record, we are migrating from HP/UX and AIX to Linux x86 platform. Things that go wrong First, following the System Copy guide carefully is quite a lot of work - mainly because some important stuff are hidden in references in the guide. And reading a SAP note that are referenced in another SAP note, that are referenced in Installation Guide.. is a bit too much. Let me describe what thing goes wrong. VM Time drift The Oracle RAC Cluster have time drift problem, killing one instance when the other is shutting down. The cure for our VMWare-based Linux database server is hidden in SAP Note 989963 "Linux VMWARE Timing", which is basically add a tinker panic 0 in the
Read more