[Solved]: Trend Officescan thinks Log4OM is malware

Need help? - Post here and we will find a solution for you.
Locked
kd7mw
Advanced Class
Posts: 41
Joined: 10 Feb 2018, 06:03

[Solved]: Trend Officescan thinks Log4OM is malware

Post by kd7mw »

[Edit: Please note that this was indeed a false positive caused by an aggressive virus checker. I posted the workaround at the bottom of this thread on 2/17/2018, see "PROBLEM SOLVED!"

I realize that the following is probably a "false positive" problem, but I'm being careful.

I'm currently evaluating both Log4OM and DxLab. I installed Log4OM this evening, downloading it directly from this site. Trend Officescan, my virus scanner identified the installer as possibly malware. I had read here that this sometimes happens with anti-virus software, so I bypassed that. Installed Log4OM, did the basic configuration, created a database in My Documents. I had some trouble getting OmniRig to work. I had to install it manually (even though I'd asked Log4OM's installer to install it), and then had to download the radio ini files to get one for my IC-7300. It still wouldn't talk to the radio. Yes, I was running Log4omUI.exe as administrator. Yes, I know about COM port number, baud rate stop bits, etc. Windows 7 (Professional x64) firewall asked me a couple of times if I wanted to unblock certain things while setting up Communicator, and I said yes, unblock.

Then I was fooling around with the configurations, starting and stopping Communicator, trying to get OmniRig to talk to the radio, when suddenly I got the errors you will see in the attachments. Sorry, I can't tell you exactly what I did when it happened. Officescan terminated Log4OM and actually deleted the Log4OMUI.exe file and its desktop icon. I was pretty shocked, because I had just told Officescan that Log4OM should be trusted to modify files in My Documents, (asking this the first time it tries to write to a file in My Documents, etc. is a part of its anti-ransomware feature).

At which point I have uninstalled Log4OM, am running a full scan on my system overnight, and am going to wait for you kind folks to tell me what's going on. Again, I understand that this is probably a false positive situation. But, after over 30 years as an IT person (now retired), I take such warnings seriously, because I have had to clean up numerous messes caused by people who didn't take such warnings seriously :-).

I must also note that DXLab, while less friendly on the surface than Log4OM, did not give me any such scares, and I was able to get rig control and Fldigi integration working very quickly.

73,
--Peter KD7MW
Log4OM-TrendWarning1.JPG
Log4OM-TrendWarning1.JPG (95.12 KiB) Viewed 4451 times
Log4OM-TrendWarning1.JPG
Log4OM-TrendWarning1.JPG (95.12 KiB) Viewed 4451 times
Attachments
Log4OM-TrendWarning2.JPG
Log4OM-TrendWarning2.JPG (40.32 KiB) Viewed 4451 times
Last edited by kd7mw on 18 Feb 2018, 02:43, edited 2 times in total.
User avatar
G4POP
Log4OM Alpha Team
Posts: 10753
Joined: 21 Jan 2013, 14:55
Location: Burnham on Crouch, Essex UK

Re: Trend Officescan thinks Log4OM is malware

Post by G4POP »

So far there have been 10,000 downloads of the latest release and yours is the only report of a virus.

I have just downloaded it and done a fresh install and none of my antivirus or malware software have flagged a problem.

Based on the above I suspect your software is flagging a false positive

Did you follow the instructions in our quick start guide?

I am sure that you are aware that the specific Icom usb drivers must be installed before connecting the 7300 to the computer, otherwise windows will use a generic driver which will not work with the new Icom radios?
73 Terry G4POP
kd7mw
Advanced Class
Posts: 41
Joined: 10 Feb 2018, 06:03

Re: Trend Officescan thinks Log4OM is malware

Post by kd7mw »

Thanks, Terry. My system scan came up clean, so I'm sure it was indeed a false positive.

Yes, the Icom drivers were installed long ago and have been working with Fldigi for over a year. I think the reason I had trouble with CAT was that I neglected to "Run as Administrator" when I ran the install. Which might have meant that the installer itself was elevated by the UAC prompt, but secondary or tertiary spawned processes were not. In my defense, earlier I had installed something which specifically said NOT to Run as Administrator, and my mind must have still been in that mode. Computers can be fun...

None of which explains the false positive. By any chance do you have a maintenance release coming out soon? If so, I might wait for that in hopes that OfficeScan won't flag it.

Question--Am I correct that CAT does not require one to run Log4OM in Administrator mode, but that communicating with Fldigi does require it? Also, if I'm using Fldigi, could Log4OM be run by changing the program icon to run in Admin mode rather than the EXE file itself?

73,
--Peter, KD7MW
User avatar
G4POP
Log4OM Alpha Team
Posts: 10753
Joined: 21 Jan 2013, 14:55
Location: Burnham on Crouch, Essex UK

Re: Trend Officescan thinks Log4OM is malware

Post by G4POP »

kd7mw wrote: 16 Feb 2018, 09:09 None of which explains the false positive. By any chance do you have a maintenance release coming out soon? If so, I might wait for that in hopes that OfficeScan won't flag it.
No we are working on an update but it wont be that soon, just install the latest release, it is fine, no one else has reported an issue!!!!!!!!!!!!
Question--Am I correct that CAT does not require one to run Log4OM in Administrator mode, but that communicating with Fldigi does require it? Also, if I'm using Fldigi, could Log4OM be run by changing the program icon to run in Admin mode rather than the EXE file itself?
No you must install Log4OM and also Omnirig to 'Run as an administrator' as described in the user guide
73 Terry G4POP
User avatar
IW3HMH
Site Admin
Posts: 2925
Joined: 21 Jan 2013, 14:20
Location: Quarto d'Altino - Venezia (ITA)
Contact:

Re: Trend Officescan thinks Log4OM is malware

Post by IW3HMH »

It happens quite often.
Log4OM uses some functionalities like webservices and UDP communications between modules that sometime are used by malicious software to communicate.
Log4OM is not signed with a code-certificate (it will cost 500 USD/year or so for a couple of bits issued by a certification authority), this could mitigate the problem.

Sometimes an antivirus heuristically detects that something could be wrong in the software, and block it. We usually send the .exe to the antivirus house to let them check the program for issues.
Also note log4om codebase is encrypted to avoid data leaks and prevent curious to decompile it and say they are better programmers :mrgreen: , so this can cause headaches on antivirus software.

Here you can send a "false positive check request" to OfficeScan.
This could be a nice service for other users:
https://success.trendmicro.com/solution ... -xg-xg-sp1

73
Daniele Pistollato - IW3HMH
kd7mw
Advanced Class
Posts: 41
Joined: 10 Feb 2018, 06:03

Re: Trend Officescan thinks Log4OM is malware

Post by kd7mw »

Thank you, Terry and Daniele. I had another go at this today, following exactly the Quick Start Guide. No joy, unfortunately.

So far Trend Officescan has blocked as malware:

The install file/
The .TMP file that is created during installation.
logomui.exe
logomcommunicator.exe
rigctrld.exe

Dealing with this is like playing Whack-A-Mole. I whitelist one file, and soon it blocks another as I'm trying out the program. I'm sure it is heuristic analysis of behavior that is triggering most of the blocks, because the warning names with HEU. As Daniele noted, since the files are encrypted, I don't get a warning when I scan them, only when they are run. No matter what I do, I can't get the CAT connection to work. I tried both Hamlib and OmniRig, I've gone in and out of the program, I went down to slower baud rates. Nothing worked--and I have both DXLab and Fldigi successfully talking with the radio. My guess is Trend is preventing something from running, causing odd behaviors from Log4OM as well as the warnings.

If it's any consolation, Officescan also flagged PV.EXE, the Propogation View module of DXLab. However, once I whitelisted that, it ran with no problem. I had been successfully running PV for several days. So Trend must have changed something this past week.

Here is the version of OfficeScan that I am currently running:

Version:
12.0.1226 (Component versions)
Serial Number:
PJMF-0011-4895-6894-xxxx (last 4 digits obscured)
Type:
Full version
Expiration:
5/9/2018
SPN GUID:
0c9e62c0-2974-4b0e-b090-b4d8eab0f0b5

I do not have a Business account with Trend, only a consumer version, so the link Daniele kindly provided won't work for me. I have attached the CSV file generated by my Officescan log. I will attempt to send the files I can to Trend via their consumer upload IF I can tell them that these files are false positives, not malware. And I'm going to give Log4OM a rest and see what Trend says, or if it works in another week or two.

73,
--Peter, KD7MW
Attachments
Viruses.csv
(451 Bytes) Downloaded 202 times
kd7mw
Advanced Class
Posts: 41
Joined: 10 Feb 2018, 06:03

Re: Trend Officescan thinks Log4OM is malware

Post by kd7mw »

PROBLEM SOLVED! I was able to finally get Log4OM working by doing two things:

1. I turned off the virus checker during the install. This prevented "Whack-a-Mole" virus warning popups, which in my virus scanner will disable a program component if you don't click fast enough.
2. I explicity whitelisted LogOMUI.exe and LogOMCommunicator.exe in the virus checker's exception list before running the program and setting it up. On my Win7 system, the programs are in this folder: C:\Program Files (x86)\IW3HMH\Log4OM .

I'm posting this for the benefit of future users who encounter this. My virus checker is Trend Officescan, but I suspect that other virus checkers may cause similar grief in future. As the bad guys get smarter and more devious, the virus checkers have to get stricter and more aggressive, and will step on legitimate things more often.
User avatar
G4POP
Log4OM Alpha Team
Posts: 10753
Joined: 21 Jan 2013, 14:55
Location: Burnham on Crouch, Essex UK

Re: [Solved]: Trend Officescan thinks Log4OM is malware

Post by G4POP »

That's good news, I am pleased that you are up and running
73 Terry G4POP
Locked