McAfee Endpoint Security Identifies JAVA.exe as a potential threat source in Portal for ArcGIS or ArcGIS Data Store

Description

During normal use of ArcGIS Enterprise components Portal for ArcGIS and ArcGIS Data Store, administrators may notice informational warnings generated by McAfee Endpoint Security. 

Those warnings will appear similar to this:

Cause

In response vulnerabilities that surfaced in late 2021 related to Log4J, McAfee updated its product coverage to include a new Expert Rule named "JNDI Log4J Exploit". 

McAfee's approach is documented here: Log4J and The Memory That Knew Too Much

This rule is triggered when McAfee Endpoint Security detects potentially malicious activity that exhibit behaviors similar to what may be seen when the Log4J vulnerability CVE-2021-44228 is exploited.

See also:
McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution

Administrators and users may notice these warnings even if Esri's Log4J patches have been applied.

Solution or Workaround

The behavior flagged is expected and the warning is informational.

Portal for ArcGIS and ArcGIS Datastore call PG_ISREADY and whoami on Windows by opening the Windows Command interpreter (CMD.exe) via a Java process. Both PG_ISREADY and whoami are command line tools.

• The JRE opens the windows CMD interpreter to run the whoami command to ensure that that the ArcGIS Process owner can read/write to the Portal’s indexes.
• The Portal checks to confirm that the process owner has access to its directories (for example: db/temp/content/index).
• This logic is used to help support High Availability configurations.
• PG_ISREADY is a command line tool provided by PostgreSQL, which is used internally in Portal for ArcGIS and in ArcGIS Data Store.
• PG_ISREADY is called to periodically check the internal PostgreSQL database status to be sure it is running properly.