Thanks, Philippe, Denis! I appreciate the fast replies.
Yes, I know it’s a false positive and that the executable is standard. I’m a big fan of WaveLab and know that it’s not a platform for malware.
Denis, to address your specific point: No, Trend Micro security products actually don’t react to many things in this way; in fact, in about 6 years of running this particular security suite (with yearly upgrades and continual updates, of course), the only application that has ever been identified like this is WaveLab’s lib.pluginsupport.exe. I recognize that your suggestion might be to remove any security software from a true mastering system; however, because of various environments I work in with a particular mobile rig, I need the security software installed.
Philippe, on your standard file note: Trend Micro reported (but I didn’t screenshot quick enough to capture the message) that the .exe was in the process of “encrypting of changing certain system or user files” that caused the security software to trigger the ransomware warning. Trend Micro is probably looking for processes that are systematically going through files and making some sort of changes - which it looks like lib.pluginsupport.exe was doing (or causing/triggering) in these two locations:
C:\Users\computer\AppData\Local\Temp\JVI43leO6kk
C:\ProgramData\PACE Anti-Piracy\nJVI43le
The files noted as being changed in a ransomware-like pattern were:
kLIjX9h7.html
r7oehbpagddig.xls
This occurred during initial plugin scanning after upgrade to WaveLab Pro 9.5. Specifically, the warning was triggered when WaveLab scanned Antares AVOX Articulator 4.0.2 (VST3 version).
After clearing lib.pluginsupport.exe in Trend Micro, I ran the WaveLab plugin scan again, and everything worked with no Trend Micro warnings. However, the plugin scan halted again when scanning AVOX Articulator 4.0.2 (VST3 version). WaveLab offered the option to wait until scanning of Articulator finished or to continue on. I waited several minutes, and the scan of Articulator never finished, so I finally opted to skip it. At this time, I cannot use Articulator VST3 in WaveLab.
Here’s my guess: When WaveLab 9.5 scans the plugins, it also performs (or causes) processes with PACE licensing that result in a variety of temporary, randomly-named files such as “kLIjX9h7.html” to be generated and/or changed, perhaps involving encryption mechanisms. Because of those files’ location(s), and because of the rapidity of the processing that the plugin scanner performs, security software like Trend Micro detects the processing as a false positive for malware - ransomware in this case. It actually makes sense; the process would loosely fit the profile of a program that is systematically making changes to user/system files, so it gets halted to ensure the user wants this program running.
So, two requests:
-
Articulator VST3 simply doesn’t work in WaveLab after this false positive, even after multiple scan attempts. (It does continue to work in other hosts such as Cubase.) My guess is that the needed changes to the randomly-name files above did not complete during the first scan What can I do to restore it in WaveLab, since scanning it always fails now in WaveLab?
-
Would it be possible, on release of a major WaveLab version such as 9.5, to simply collaborate with the various major antivirus providers (there are only about a dozen major players: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, G Data, McAfee, Norton, ThreatTrack, Trend Micro) and provide them with the WaveLab executables so any such false positives would be stamped out at release? This could be a standard process incorporated into the release schedule, and most of these companies make submissions really easy for developers.