Your last paragraph is also a contradiction of itself, to be clear. You cannot be both vulnerable to attack, and be completely clear of malicious usage.
I wrote it the way I did to avoid getting back into the whole philosophical issue of whether avast! should issue alerts for stuff that can theoretically be exploited, or only for those things that are evidence of an actual exploit under way. I've already expressed my view elsewhere in these forums that alerts about merely potential dangers should only appear in a separate tool that is intended for software and/or website developers to use to test their products. Since I am not a developer, avast! should only be alerting me when it finds a known instance of actual malware that is attempting to do something unpleasant on my devices. I warned that failure to make this distinction risks training end users to ignore pop-up warnings, since many of them do not refer to an actual threat that is aimed at them. The fact that a component of a particular piece of software is outdated is not evidence that there is actual malicious code in that software. I also pointed out in a previous discussion that when a bajillion other anti-malware systems don't do this (see the VirusTotal results), and only avast! does, there just might be something wrong with avast's thinking on this topic. I lost that battle. But I reassert that the software in question can only be used to upload certain specific files to a certain specific website.
I will take your suggestion to use my console's ability to whitelist the software, especially since these update installers are issued on an irregular basis and likely each one would have to be whitelisted separately.
I'm not discounting that the potential exists for users to ignore such warnings. However, in corporate settings, things are usually managed by a SOC department. If an internal one doesn't exist, an external is usually brought in, or consulted. Although my experience with Avast! is limited (in terms of a CMS), the CMS & SIEM systems I'm aware of do not push client notices. Rather, they get pushed to the SOC to be handled. from their, SOC can decide whether or not action must be taken. Again, most CMS systems I know of offer the ability to remotely deal with a threat. (Whether it's quarantine, or taking the system offline to be handled in person). Most notices I've gotten (as a SOC employee) are handled at SOC, and the end-user is none-the-wiser unless they must be spoken too.
Again, I'm viewing this from a SOC perspective. CVE tells me exploit, whether or not it's being abused is a different story. However, the limitations to detecting, and preventing exploits are much more difficult to manage then a simple malware infection. SIEM systems could be trained to deal with it, but an end-point AV isn't likely able to make that distinction. I would also go enough to mention the subconscious choosing of colors plays a role in message delivered. RED means STOP, BAD, DO NOT DO THAT. RED therefore usually means drop whatever your doing and seek technical assistance. It may be more appropriate to label is yellow as caution, but that's an internal discussion that Avast! can have.
The fact that a component of a particular piece of software is outdated is not evidence that there is actual malicious code in that software.
True, but that does not mean it cannot be used for malicious purposes.
I also pointed out in a previous discussion that when a bajillion other anti-malware systems don't do this (see the VirusTotal results), and only avast! does, there just might be something wrong with avast's thinking on this topic.
AV companies set their settings on VirusTotal. See the hover option on any of the AV names on VT.
"May differ from commercial off-the-shelf product. The company decides the particular settings with which the engine should run in VirusTotal. [sic]" As such, take VT's results with a grain of salt. Even Avast! does not detect your files on VT.
But I reassert that the software in question can only be used to upload certain specific files to a certain specific website.
public class LoginFrame {
private JFrame frmEvonyAgeIii;
private JTextField JTFUserName;
private JPasswordField pfPassword;
private JPasswordField pwConfirmPassword;
public JRadioButton rdbtnLogin;
public JRadioButton rdbtnCreateAccount;
private JLabel lblNewLabel;
private JLabel lblConnectionStatus;
/**
* Launch the application.
*/
public static void main(String[] args) {
EventQueue.invokeLater(new Runnable() {
/* Run the Application */
public void run() {
try {
LoginFrame window = new LoginFrame();
window.frmEvonyAgeIii.setVisible(true);
Image icon = Toolkit.getDefaultToolkit().getImage("C:\\Users\\Michael\\Desktop\\Icon.jpg");
window.frmEvonyAgeIii.setIconImage(icon);
}
catch (Exception e) {
e.printStackTrace();
}
}
});
}
/*
* Create the application.
*/
public LoginFrame() {
initialize();
}
/**
* Initialize the contents of the frame.
*/
private void initialize() {
frmEvonyAgeIii = new JFrame();
frmEvonyAgeIii.setTitle("Evony Age III Login");
frmEvonyAgeIii.setBounds(100, 100, 645, 357);
frmEvonyAgeIii.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
frmEvonyAgeIii.getContentPane().setLayout(null);
ButtonGroup gAccount = new ButtonGroup();
JTFUserName = new JTextField();
JTFUserName.setBounds(135, 63, 96, 20);
frmEvonyAgeIii.getContentPane().add(JTFUserName);
JTFUserName.setColumns(20);
pfPassword = new JPasswordField();
pfPassword.setBounds(135, 94, 96, 20);
frmEvonyAgeIii.getContentPane().add(pfPassword);
JLabel lblUsername = new JLabel("Email:");
lblUsername.setHorizontalAlignment(SwingConstants.RIGHT);
lblUsername.setBounds(60, 66, 65, 15);
frmEvonyAgeIii.getContentPane().add(lblUsername);
JLabel lblPassword = new JLabel("Password:");
lblPassword.setHorizontalAlignment(SwingConstants.RIGHT);
lblPassword.setBounds(60, 97, 65, 15);
frmEvonyAgeIii.getContentPane().add(lblPassword);
rdbtnLogin = new JRadioButton("Login to an Existing Account");
rdbtnLogin.setBounds(0, 7, 210, 23);
rdbtnLogin.setSelected(true);
frmEvonyAgeIii.getContentPane().add(rdbtnLogin);
rdbtnCreateAccount = new JRadioButton("Create a New Account");
rdbtnCreateAccount.setBounds(0, 33, 159, 23);
frmEvonyAgeIii.getContentPane().add(rdbtnCreateAccount);
JButton btnLoginCreate = new JButton("Login/Create Account");
btnLoginCreate.setBounds(75, 156, 210, 23);
frmEvonyAgeIii.getContentPane().add(btnLoginCreate);
pwConfirmPassword = new JPasswordField();
pwConfirmPassword.setEnabled(false);
pwConfirmPassword.setBounds(135, 125, 96, 20);
frmEvonyAgeIii.getContentPane().add(pwConfirmPassword);
JLabel lblConfirmPassword = new JLabel("Confirm Password:");
lblConfirmPassword.setHorizontalAlignment(SwingConstants.RIGHT);
lblConfirmPassword.setBounds(0, 128, 125, 15);
frmEvonyAgeIii.getContentPane().add(lblConfirmPassword);
gAccount.add(rdbtnLogin);
gAccount.add(rdbtnCreateAccount);
lblNewLabel = new JLabel("Hash Data");
lblNewLabel.setVerticalAlignment(SwingConstants.TOP);
lblNewLabel.setBounds(10, 203, 609, 20);
frmEvonyAgeIii.getContentPane().add(lblNewLabel);
lblConnectionStatus = new JLabel("Connection Status: ");
lblConnectionStatus.setBounds(237, 37, 382, 14);
frmEvonyAgeIii.getContentPane().add(lblConnectionStatus);
/* Action Listener for Radio Buttons */
rdbtnLogin.addActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) {
pwConfirmPassword.setEnabled(false);
}
});
rdbtnCreateAccount.addActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e){
pwConfirmPassword.setEnabled(true);
}
});
btnLoginCreate.addActionListener(new ActionListener() {
String serverAddress = "142.162.21.9";
int serverPort = 3332;
@Override
public void actionPerformed(ActionEvent e) {
/* Hashing each password (SHA3 512) */
String password1= new String(pfPassword.getPassword());
String password2 = new String(pwConfirmPassword.getPassword());
/* Password Hashing */
String pw1Hashed = encryptData(password1);
String pw2Hashed = encryptData(password2);
/* Email */
String email = JTFUserName.getText();
/* Communication Variable Declaration */
Socket clientSocket = null;
BufferedInputStream bis = null;
try {
File authType = new File("authentication.sql");
BufferedWriter writer = new BufferedWriter(new FileWriter(authType));
writer.write("SELECT COUNT(*) FROM logintable WHERE username='" + email + "' and passwordHash='" + pw1Hashed + "';");
int size = (int)authType.length();
writer.close();
lblNewLabel.setText(pw1Hashed);
if(rdbtnCreateAccount.isSelected() == true) {
if(pw1Hashed.equals(pw2Hashed)) {
//Open Connections
/* Create User */
}
}
else if(rdbtnLogin.isSelected() == true) {
/* Send Login Request to server */
lblNewLabel.setText(pw1Hashed);
try{
clientSocket = new Socket(serverAddress, serverPort);
byte[] bArray = new byte[(int) authType.length()];
bis = new BufferedInputStream(new FileInputStream(authType));
bis.read(bArray, 0, bArray.length);
OutputStream outputStream = clientSocket.getOutputStream();
outputStream.write(bArray, 0, bArray.length);
outputStream.flush();
outputStream.close();
clientSocket.close();
} catch (Exception excep) {
System.out.println("Unknown Exception Occurred");
}
}
}
catch(IOException ioEx) {
System.out.println("File failed");
}
password1 = null;
password2 = null;
pw1Hashed = null;
pw2Hashed = null;
}
});
}
/* Encryption using 512bit SHA3. */
public String encryptData(String plaintextPW){
try {
MessageDigest digest = MessageDigest.getInstance("SHA3-512");
byte[] hashbytes = digest.digest(plaintextPW.getBytes(StandardCharsets.UTF_8));
String HPW = bytesToHex(hashbytes);
return HPW;
}
catch(NoSuchAlgorithmException e) {
System.out.println("Failed to create new Password.");
return null;
}
}
/* Credit to baeldung - https://www.baeldung.com/sha-256-hashing-java */
public static String bytesToHex(byte[] hash) {
StringBuffer hexString = new StringBuffer();
for (int i = 0; i < hash.length; i++) {
String hex = Integer.toHexString(0xff & hash[i]);
if(hex.length() == 1) hexString.append('0');
hexString.append(hex);
}
return hexString.toString();
}
}
^^ This is no longer live, and is over a year out of date now. I don't typically post personal code, but fudge it. It has one purpose, take the U/N and Password you've created, and create an SQL statement and send it to my server. Server responds back, yay or nay. All this is done using hashed passwords, and encrypted sockets (no way to undo that short of brute force). That application was vulnerable to SQL injection, despite it's singular purpose. Your governments program is no different, unfortunately.
Note the server address (my actual IP Address, yes!) is hard coded. The port, is hard coded in. It can only go one place, and do one thing, and yet, that application was vulnerable.