How Does the jmap.exe Process Relate to the Capture server?
(Doc ID 2831549.1)
Last updated on APRIL 27, 2023
Applies to:
Oracle WebCenter Enterprise Capture - Version 11.1.1.8.0 and laterInformation in this document applies to any platform.
Goal
The jmap.exe process was recently executed on the Capture server recently. Is this activity legitimate?
This is from the report:
Analysis:
<Appname> detected a suspicious activity for a command line on this host that an Oracle WebLogic process wrote a PE file which could be related to webshell activity. We found that the process "jmap.exe" injected into "java.exe" with the command line "E:\app\oracle\product\fmw\jrockit\jre\..\bin\jmap -histo 15048". Jmap is a java tool used for memory profiling. It is used to take a heap snapshot (dump the heap without affecting the running process).
<Appname> detected a suspicious activity for a command line on this host that an Oracle WebLogic process wrote a PE file which could be related to webshell activity. We found that the process "jmap.exe" injected into "java.exe" with the command line "E:\app\oracle\product\fmw\jrockit\jre\..\bin\jmap -histo 15048". Jmap is a java tool used for memory profiling. It is used to take a heap snapshot (dump the heap without affecting the running process).
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |