Should I worry about Exploit:Java/Obfuscator.F detected by antivirus in TemenosSecurity.jar

Question

Windows 10 Defender Antivirus and also Microsoft Safety Scanner deteted and quarantined a threat of category "Exploit" named "Exploit:Java/Obfuscator.F" in TemenosSecurity.jar file and several other jars of the Temenos T24 TAFJ software which runs as a standalone Java app and also as J2EE in JBoss EAP Java application server container.

The software is provided by an official distributer, it should be virus free and can be trusted. The internet however says many bad things about "Exploit:Java/Obfuscator.F" like:

This threat has been "obfuscated", which means it has tried to hide its purpose so your security software doesn't detect it. The malware that lies underneath this obfuscation can have almost any purpose.

What causes Windows Defender Antivirus to detect this threat? Can attackers exploit this vulnerability? And what Software provider should have done differently to avoid this jar being detected by Antivirus?

Answer 1

It's possible that the company shipping the product is obfucating their code just to protect their IP, and is oblivious to the fact that it's setting off antiviruses.

Code obfuscation refers to transforming code in a way that makes it very difficult to analyze. Viruses might use it so antiviruses can't analyze their code to determine they're doing something bad. On the other hand, legitimate software might use it to prevent others from analying and reverse engineering its algorithms.

It's also possible that the distributor is compromised, and is shipping actual malware, like Lothar's answer mentions.

Either way, it'd be good to let the distributor know. If they're using obfuscation legitimately, they might want to digitally sign their software, and register it with antivirus providers to get rid of the warning. If they're inadvertently distributing malware, they'll be glad to know too. Before contacting them, however, you might want to look up the error specifically in relation to the software you're trying to use. If you find a statement by the company that it's a known issue, there's no real need to contact them, and if you trust the compamy, it's more than likely safe to use the software.

Answer 2

I'd take the information seriously and get in contact with the distributor. Just because the software comes from an "official" source, doesn't mean it is free from malware by default.

There are a couple of instances in the past (even in the Good Old Days[TM] where stuff was shipped on floppy discs) where hardware and software vendors where shipping their stuff with some unwanted malware as a bonus. Just a recent example is the Pear.php.net service that was compromised for half a year, delivering PHP-modules including malware.

To answer your other questions:

What causes Windows Defender Antivirus to detect this threat?

It used one of its detection mechanisms to find it. There are different ones, so it's hard to say from Here[TM]. A way to rule out a false alarm is to go to Virustotal and upload one of the offending files. The file will be tested against 60 and more virus scanners and if more than just a few spit out warnings, you can assume that the file actually contains the malware.

Can attackers exploit this vulnerability?

If it's not a false alarm (and if multiple jars are reported being affected it doesn't sound like one), yes I suppose.

And what Software provider should have done differently to avoid this jar being detected by Antivirus?

Not bundling their software with malware would be a start ;-)