Does Java have a built-in Antivirus? Is it true?

Question

Does Java have a built-in Antivirus?
One of my friends told me there is in the JVM itself - it's called the "sandbox". Is it true?

Ha.... It feels good to laugh now and again. – Jasarien Apr 06 '10 at 16:19 — Jasarien, Apr 06 '10 at 16:19
If you believe that, I have a bridge to sell you... – OMG Ponies Apr 06 '10 at 16:19 — OMG Ponies, Apr 06 '10 at 16:19
Java also solves world hunger. – Frank Krueger Apr 06 '10 at 16:19 — Frank Krueger, Apr 06 '10 at 16:19
Java was crucial in the BP oil spill fix – Chris J Jul 21 '10 at 17:10 — Chris J, Jul 21 '10 at 17:10

Michael Borgwardt · Accepted Answer · 2010-04-06T20:38:54.490

40

Java does have a security-related concept called "sandbox", but it works very differently from typical anti-virus products. The latter usually try to catch viruses via signatures or code analysis before they are executed.

The Java sandbox on the other hand allows you to run Java code while witholding from it access to system resources that could be used to to bad things, e.g. no access to any files.

However, only Java applets and Java Web Start applications run in a sandbox per default. Regular java applications have full access to your system.

edited Apr 06 '10 at 20:38

answered Apr 06 '10 at 16:28

Michael Borgwardt

342,105
78
482
720

8

you are one who understood what i need. explained it understandably. Thanks a lot. – Praveen Apr 06 '10 at 17:03
6

+1 for not ridiculing the OP and actually answering the question. – snemarch Sep 22 '10 at 11:30

score 19 · Answer 2 · answered Apr 06 '10 at 16:19

19

Doubtful. Perhaps he was referring to the fact that the JVM (somewhat) sandboxes execution of a Java program, to help prevent it from damaging the host OS.

answered Apr 06 '10 at 16:19

Justin Ethier

131,333
52
229
284

1

+1: Assuming it's not an April Fools joke, this is the likely simplified explanation... – OMG Ponies Apr 06 '10 at 16:22
1

No, an antivirus program will actively track down and identify virii. A sandbox simply makes it harder (or impossible, although I would not claim that for Java) to write a virus within the environment. – Justin Ethier Apr 06 '10 at 16:26
2

You might also mention the Java verifier (http://java.sun.com/docs/white/langenv/Security.doc3.html) which examines classes for safety. Of the components of the Java platform, it might be the most similar to an antivirus program. – erickson Apr 06 '10 at 16:33
1

you guys are wrong, I am running Sandbox Enterprise Edition and I feel safe. – Persimmonium Apr 06 '10 at 16:37

Anthony Forloney · Answer 3 · 2010-04-06T16:30:18.167

14

No they do not have a built-in antivirus. Did he tell you this on April 1st?

To clear your doubt, sandbox is not an antivirus.

edited Apr 06 '10 at 16:30

answered Apr 06 '10 at 16:19

Anthony Forloney

90,123
14
117
115

A sandbox is in no way a "development environment". – Michael Borgwardt Apr 06 '10 at 16:30
I'm not sure if I agree. Sandbox is not a development environment, rather is the name for Java's security model, providing a restricted code execution environment. – Frederik Apr 06 '10 at 16:30

score 7 · Answer 4 · answered Apr 06 '10 at 16:18

7

does the java have an in-built antivirus?

No.

answered Apr 06 '10 at 16:18

Bart Kiers

166,582
36
299
288

score 7 · Answer 5 · answered Apr 06 '10 at 16:24

Java has a security model built-in that allows it to execute untrusted code. This model is called "the sandbox model".

It is not a virus-scanner. Instead, it limits the possibilities of untrusted code so that applets on a webpage do not have access to files on your computer's hard drive.

You can read more about Java's Security Architecture.

score 4 · Answer 6 · answered Apr 06 '10 at 16:24

java uses a class called SecurityManager to determine what a program can or cannot do, so in some sense it implements anti-exploit code, but not specifically anti-virus.

http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html

anti-virus in the usual sense of the word detects viruses in files and removes them. this is not built in to java.

score 3 · Answer 7 · answered Apr 06 '10 at 16:22

No. What it does is running the program in an environment that is (somewhat) separated from the operating system, which should, in most cases, prevent malicious code from doing any damage. Sort of like running VMware - virii and other malware have no influence on the host OS.

score 2 · Answer 8 · answered Apr 06 '10 at 16:23

2

I heard garbage collection also acts as a handy anti-bacterial, making your applications 99.99% free from germs.

Wash after every use.

answered Apr 06 '10 at 16:23

djhworld

6,726
4
30
44

I think your cynicism is misplaced. Although there is no "virus scanner" in the JVM, there are some security features that prevent it from executing arbitrary code. – Frederik Apr 06 '10 at 16:27
Your comment really made me laugh, I'll give you that, but still kind of rude and misplaced. – Jakob Apr 06 '10 at 21:31
I feel bad for doing this but I couldn't resist, it was meant in jest not malice. Other people in this thread have posted suitable answers enough already. – djhworld Apr 07 '10 at 11:10

score 2 · Answer 9 · answered Apr 06 '10 at 17:06

The closest thing in the JRE to literal "anti-virus" is the blacklisting feature for signed jars. If a signed jar is found to cause a security issue, it can be blocked. This has been designed for accidental security flaws rather than blocking deliberately malicious code. Also it is possible to revoke a certificate using a CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) if enabled. Conventional anti-virus is left to specialist anti-virus products, rather than trying to produce a half-baked alternative.

(Today's anti-virus products do more than just check for known viruses.)

Does Java have a built-in Antivirus? Is it true?

9 Answers9