OfficeScan deletes Rterm as malware

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OfficeScan deletes Rterm as malware

Roland Fuß
I'm not sure if the problem is actually with R but thought I should
report this anyway.

After Peter's email regarding the R 3.5.2 release today, I installed the
Windows version right away (directly from CRAN and not from a mirror).

Unfortunately, my institute's AV sofware TrendMicro OfficeScan 12.0.5147
Service Pack 1 stops and deletes Rterm.exe when running Rcmd.exe INSTALL
with a local source package. It reports "OfficeScan detected a Behavior
Monitoring policy violation and blocked the offending process(es)." and
"Unauthorized File Encryption" by Rterm.exe.

I've deinstalled R 3.5.2 for now and switched back to 3.5.1, which works
fine.

Best,

Roland Fuß

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Re: OfficeScan deletes Rterm as malware

Joris FA Meys
Dear Roland,

quite surprising, as online scans of TrendMicro turn up completely clean.
It looks like a false positive, which you can report to TrendMicro as
explained here :

https://success.trendmicro.com/solution/1115668-preventing-behavior-monitoring-false-detections-in-officescan#collapse1

On the same website they explain how you can whitelist it. I'll check at
home with a few other antiviruses, but I'm pretty certain this is a case of
TrendMicro being overly enthousiast in its protection.

Cheers
Joris

On Thu, Dec 20, 2018 at 2:52 PM Roland Fuß <[hidden email]> wrote:

> I'm not sure if the problem is actually with R but thought I should
> report this anyway.
>
> After Peter's email regarding the R 3.5.2 release today, I installed the
> Windows version right away (directly from CRAN and not from a mirror).
>
> Unfortunately, my institute's AV sofware TrendMicro OfficeScan 12.0.5147
> Service Pack 1 stops and deletes Rterm.exe when running Rcmd.exe INSTALL
> with a local source package. It reports "OfficeScan detected a Behavior
> Monitoring policy violation and blocked the offending process(es)." and
> "Unauthorized File Encryption" by Rterm.exe.
>
> I've deinstalled R 3.5.2 for now and switched back to 3.5.1, which works
> fine.
>
> Best,
>
> Roland Fuß
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>


--
Joris Meys
Statistical consultant

Department of Data Analysis and Mathematical Modelling
Ghent University
Coupure Links 653, B-9000 Gent (Belgium)
<https://maps.google.com/?q=Coupure+links+653,%C2%A0B-9000+Gent,%C2%A0Belgium&entry=gmail&source=g>

-----------
Biowiskundedagen 2017-2018
http://www.biowiskundedagen.ugent.be/

-------------------------------
Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Re: OfficeScan deletes Rterm as malware

Jeroen Ooms-2
In reply to this post by Roland Fuß
On Thu, Dec 20, 2018 at 2:52 PM Roland Fuß <[hidden email]> wrote:

>
> I'm not sure if the problem is actually with R but thought I should
> report this anyway.
>
> After Peter's email regarding the R 3.5.2 release today, I installed the
> Windows version right away (directly from CRAN and not from a mirror).
>
> Unfortunately, my institute's AV sofware TrendMicro OfficeScan 12.0.5147
> Service Pack 1 stops and deletes Rterm.exe when running Rcmd.exe INSTALL
> with a local source package. It reports "OfficeScan detected a Behavior
> Monitoring policy violation and blocked the offending process(es)." and
> "Unauthorized File Encryption" by Rterm.exe.

I can't think of anything that has changed between R 3.5.1 and 3.5.2.
What does "Behavior Monitoring policy violation" mean? Does it say
what sort of policy?

A quick search reveals that the TrendMicro "Unauthorized File
Encryption" message is a frequent false positive for many different
software programs, including this thread at the rstudio forum:
https://support.rstudio.com/hc/en-us/community/posts/208171047-rsession-exe-flagged-as-virus

Perhaps it's just because you're one of the first people to install
this version, and your AV might use some "smart" learning system such
that the false positive will automatically disappear after a few more
people have installed and whitelisted the new R binaries.

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel