Saturday, November 21, 2009

IWSS - Java developer's nightmare

InterScan Web Security Suite, abbreviated IWSS, it is said to be a comprehensive solution tailored for large corporate deployment. Product of Trend Micro, IWSS scans every HTTP access from a corporate's intranet onto the great internet. Unfortunately, it assumes that every .jar file accessed by a corporate's intranet is a java applet, therefore it naively apply bytecode manipulation on it, making a dialog box pops up every time the class in the jar file access something in the host OS. Like accessing a file in Eclipse's plug-ins folder. Like accessing a file in the Local Settings folder.


Why does it have to be like this? When does an antivirus company, allowed to do manipulations that in the past only done by virus? Let me explain. A jar file is an JVM executable. I downloaded tens if not over a hundred jar files from the internet, because Eclipse's update mechanism is just like that- by downloading jar files from the Internet. IWSS tampered with them, modified them.. it modified the executables so I could no longer expect the original behaviour of them. It ruins tens if not hundreds of jar files in my two laptops, which I must cleanup now. Virus in the past also did something similar to this. Exe files were modified by viruses, its header altered to call the virus body attached in the end of the exe file before calling the original entry point of the executable.
Please. I don't think that there is any reason for an antivirus company to behave like a virus. For the damages that already done, I think Trend Micro must provide its users a cleanup tool, a tool that could scan a harddisk for altered jar files, with com.iwss package in it, and modified them to normal, un-applying the bytecode manipulation said before. It is similar to virus cleanup tool, no?
I don't think Trend Micro has done everything they could to detect whether the JAR file is an applet or not. Oh, I see, they seem just UNABLE to do that. I wonder if they were UNABLE to create such bytecode transformation I said in the previous paragraph.

1 comment:

EvdM said...

Thanks for your post! I had no idea what happend to my jars until I found your complaints!