vscode-java
vscode-java copied to clipboard
redhat-developer
Avast Anvivirus detected a threat
Issue Type: Bug
Avast Anvivirus detected a threat in an executable file inside the LAnguage Support for Java extension: jcmd.exe infected with win32:induc-w
Extension version: 1.8.0 VS Code version: Code 1.69.0 (92d25e35d9bf1a6b16f7d0758f25d48ace11e5b9, 2022-07-07T05:28:36.503Z) OS version: Windows_NT x64 10.0.19044 Restricted Mode: No
System Info
| Item | Value |
|---|---|
| CPUs | Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz (4 x 1995) |
| GPU Status | 2d_canvas: enabled canvas_oop_rasterization: disabled_off direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_renderer: enabled_on video_decode: enabled video_encode: enabled vulkan: disabled_off webgl: enabled webgl2: enabled |
| Load (avg) | undefined |
| Memory (System) | 7.91GB (1.48GB free) |
| Process Argv | |
| Screen Reader | no |
| VM | 0% |
A/B Experiments
vsliv368:30146709
vsreu685:30147344
python383:30185418
vspor879:30202332
vspor708:30202333
vspor363:30204092
vswsl492:30256859
vstes627cf:30244335
vslsvsres303:30308271
pythonvspyl392:30443607
vserr242:30382549
pythontb:30283811
vsjup518:30340749
pythonvspyt551cf:30345471
pythonptprofiler:30281270
vshan820:30294714
vstes263cf:30335440
pythondataviewer:30285071
vscod805cf:30301675
binariesv615:30325510
bridge0708:30335490
bridge0723:30353136
cmake_vspar411cf:30525689
vsaa593cf:30376535
vsc1dst:30438360
pythonvs932:30410667
wslgetstarted:30449410
vscscmwlcmt:30465135
cppdebug:30492333
pylanb8912cf:30520717
vsclangdc:30486549
I've also had jcmd.exe flagged by avast for Win32:Induc-W, vscode extension version 1.8.0, win32-x64 ~ infected file is jre/17.0.3-win32-x86_64/bin/jcmd.exe
Can you confirm the jcmd.exe on your system is the same one from https://download.eclipse.org/justj/jres/17/downloads/20220515_1316/org.eclipse.justj.openjdk.hotspot.jre.full.stripped-17.0.3-win32-x86_64.tar.gz ? It's under bin/jcmd.exe of the archive.
Confirmed, they both have sha256 7f3a736a8d7ae8232969d2cf07ad960b533f65ba69cc0824b2fe654497f099f8
But it appears whatever caused avast to flag it is transient or only relevant when running, as a direct scan after removing from quarantine without creating an exception does not detect anything.
As far as I know, we only use bin/java from the embedded JRE so that we can launch the language server application, but I don't think we make use of jcmd.exe, although it is provided there as a utility. What happens if you just run jcmd.exe with no arguments ? Does it just output the list of running Java processes or does the antivirus software trigger ?
I'd be inclined to list this as a false positive though might be interesting to know what is triggering this behaviour.
vscode-java-pack extension will use jcmd to check whether the language server process is alive. Since jcmd is a built-in command tool from JDK distribution, we might need to report it back to OpenJDK team.
// cc: @Eskibear
Running it at the moment does not trigger the antivirus. When it first triggered, I was not actively running anything, merely had vscode open in the background, and after about half an hour the warning appeared that it'd been quarantined.
I have Cylance complaining about it too. Like Skenvy mentioned, it only complains when I've started running vscode, and then it pings every few seconds.
Skenvy's was JRE 17.0.3, this is 17.0.4
I assume this is poor virus checking rather than redhat_java, but I'll add it to the documentation (Cylance doesn't give much info)
The sha256sum of my file matches the jcmd in https://www.eclipse.org/downloads/download.php?file=/justj/jres/17/downloads/20220804_1529/org.eclipse.justj.openjdk.hotspot.jre.full.stripped-17.0.4-win32-x86_64.tar.gz (40E475C35CF00A31FA83268E621D42A709642ABA07C3854AA5C56349A94376A3)
Trend Micro Apex One is also reporting this as a high-risk application due to malicious behavior. Please fix it.
