Questions

Help Needed Regarding: TrendMicro Antivirus considering java App a higly ri

+
0 Votes
Locked

Help Needed Regarding: TrendMicro Antivirus considering java App a higly ri

togreatmind
Hello


I have a java application which sniff the network traffic, I am using jpcap and winpcap in my application. Application runs fine with AVG antivirus.but when i did deploy my java application at customer environment where customer has Tren Micro Antivirus.
At that customer end trend micro is repotting my Java Application as high risk thread and also consider as dialup app which is trying to accessing the other pcs. But in actual it really not like that its only sniff the traffic which comes on that particular pc
  • +
    1 Votes

    perhaps send them a sample of the code, but they will probably not remove the
    threat detection. Many network tools that are used routinely are detected by
    various antimalware scanners as suspect. If the application is trusted, you may
    be able to add it to the excluded software list in the options of the scanner.

    edit to add: prior to adding it to the exclusions list, since this is a client's
    system and not your own, I would recommend full disclosure to the
    client, including what the software does and why you need it to
    perform your service.

    +
    0 Votes
    togreatmind

    yeah my application sniff only the packets like WireShark.
    Also in my client side they installed ArcSight Anti Virus and then Archsight might connect with TrendMicro.

    Furthermore do you know that how we can add my application in Trusted Application list in ArcSight

    Thanks
    Regards

    +
    0 Votes
    Rob Kuhn

    There are two red flags that will set off any decent AVG; a Java app and a Java app that is doing "suspicious" network activity (even if it's just sniffing traffic).

    I agree with "Wizard57m-cnet" statement about providing disclosure to your client.

    What is this app sniffing for? does it just sit on a machine that sniffs the packets? Or is it actually sniffing through the entire network (like a SNMP/WMI sweep) and hitting devices it finds?

    If it's the later than some sort of exclusion will need to be made on every effected machine and device it touches.

    If it just sits there like WireShark then the exclusion just needs to be made to the local host it's running on. If the client has any sort of intruder detecting system or even just an SNMP/WMI type monitoring system in place you may need to add some sort of exlusion on those respected systems - otherwise it could trigger false alerts (I had this happen once when running an agressive WireShark capture - my switch saw an abnormal increase in traffic on a port and so it shut the port down).

    +
    0 Votes
    togreatmind

    yeah my application sniff only the packets like WireShark.
    Also in my client side they installed ArcSight Anti Virus and then Archsight might connect with TrendMicro.

    Furthermore do you know that how we can add my application in Trusted Application list in ArcSight

    Thanks
    Regards

  • +
    1 Votes

    perhaps send them a sample of the code, but they will probably not remove the
    threat detection. Many network tools that are used routinely are detected by
    various antimalware scanners as suspect. If the application is trusted, you may
    be able to add it to the excluded software list in the options of the scanner.

    edit to add: prior to adding it to the exclusions list, since this is a client's
    system and not your own, I would recommend full disclosure to the
    client, including what the software does and why you need it to
    perform your service.

    +
    0 Votes
    togreatmind

    yeah my application sniff only the packets like WireShark.
    Also in my client side they installed ArcSight Anti Virus and then Archsight might connect with TrendMicro.

    Furthermore do you know that how we can add my application in Trusted Application list in ArcSight

    Thanks
    Regards

    +
    0 Votes
    Rob Kuhn

    There are two red flags that will set off any decent AVG; a Java app and a Java app that is doing "suspicious" network activity (even if it's just sniffing traffic).

    I agree with "Wizard57m-cnet" statement about providing disclosure to your client.

    What is this app sniffing for? does it just sit on a machine that sniffs the packets? Or is it actually sniffing through the entire network (like a SNMP/WMI sweep) and hitting devices it finds?

    If it's the later than some sort of exclusion will need to be made on every effected machine and device it touches.

    If it just sits there like WireShark then the exclusion just needs to be made to the local host it's running on. If the client has any sort of intruder detecting system or even just an SNMP/WMI type monitoring system in place you may need to add some sort of exlusion on those respected systems - otherwise it could trigger false alerts (I had this happen once when running an agressive WireShark capture - my switch saw an abnormal increase in traffic on a port and so it shut the port down).

    +
    0 Votes
    togreatmind

    yeah my application sniff only the packets like WireShark.
    Also in my client side they installed ArcSight Anti Virus and then Archsight might connect with TrendMicro.

    Furthermore do you know that how we can add my application in Trusted Application list in ArcSight

    Thanks
    Regards