Update to Trend Micro flags Drupal menu as a trojan

Does it affect other D 6 versions ?

Yes it does. See this post.

I've since spent several hours with Trend Micro support and the issue has not been resolved. TM issued another update to the software this morning (or last night) and the problem is even worse now than before. In addition to the files snagged by TM a few days ago, last night it also got:

File: modules/book/book.admin.inc
Threat name: TROJ_SWIZZOR.KVR

File: modules/poll/poll-results.tpl.php
Threat name: TROJ_SWIZZOR.KVC

File: modules/upload/upload.module
Threat name: TSPY_MMORPG.NP

This article show's a similar discussion as this one. I am certainly hoping these are all false positives. Either way, this debacle is killing productivity for sure.

I even thought about switching to another AV software brand; but, don't commercial AV's generally follow suite with the same, or similar, pattern releases? If so, wouldn't it make sense to expect similar behaviors in other AV's soon? Is, or can, Drupal get involved with TM to help get this issue resolved?

There are certain things serious with these results even if false positive.
During the recent gumblar and similar attacks several sites were affected and even when cleaned they continued to be shown as unsafe by Google - false positives but firefox, which relies on Google's reports, kept on blocking legit users from visiting purely legit sites. There are several such stories in unmaskparasites.com

Is there a way to run a reliable AV on actual linux servers particularly by shared account holders ? This may perhaps specify if the problem only occurs in local machine.

It is also worth testing if the same problem happens with the download package from Acquia ? Can some one test?

Agreed, on the serious nature. While my testing has certainly not been scientific, I have yet to find any OS-CMS to get flagged by Trend Micro over the past few days. It is very frustrating. TM is blowing up my machine again this morning, and Drupal files are the only files on my entire system being caught (...and I don't mean just the only cms files, I mean they are literally the only files being flagged on an otherwise seemingly clean machine. I just don't understand it. I'm calling Trend Micro again this afternoon after this scan finishes.

This is not a bug in Drupal; it is a bug in Trend. It needs to be fixed on their end, so you need to file an issue in their queue.

Michelle

Hi Michelle,

That's exactly what I've done. Hopefully the matter will be resolved soon. In the meantime it is a serious encumbrance to productivity, not to mention a little scary. The sooner this whole thing is behind Drupal/Trend Micro users the better.

Certainly I will update the hopeful/expected "all clear" here soon.

Subscribing.

I have spent every day this week on the phone with varying levels of Trend Micro support. After scanning my drive with the latest pattern release (issued within the past day or so) Trend Micro DOES NOT quarantine, or flag any Drupal Files as having a threat. This most recent scan (again yielding no threat consisted of several vs' of Drupal, including 5.19, 6.5-6.13.

It would appear the alarm was most definitely a False Positive.

I can confirm this too: with pattern release 6.287, OfficeScan no longer identifies threats in Drupal 6.12 or 6.13.

Todd, thanks for your efforts pushing that along with Trend Micro.

Yep! Thanks yt2s. The community needs efforts like you to fix things.

Final Update:

I've continued to follow up with Trend Micro on this issue in hopes that TM users don't go through this again. TM collected and tested samples of the files in question (mentioned here and elsewhere recently in similar posts on drupal.org). After tests were concluded, and the drupal files in question proved to NOT contain any threats, TM updated their software to correct the problem. Following is a direct quote from an email I received from the TM support supervisor today:

...per the advise from our senior colleagues, the files have been proven to be legitimate and should no longer be detected by the Trend Micro product when using the latest pattern versions.

TM users, just make sure your TM - AV software has been updated to the latest pattern release and you should be All Clear with respect to the drupal files mentioned here.

Wow, thanks a lot, yt2s! What a nasty (and totally bizarre) problem. Really appreciate your tireless efforts in following up! This weird bug could've given Drupal a very bad name, indeed.

Nice that Trend Micro reacted quickly to fix the bug, too. Hopefully they've fixed their heuristics so we don't run into this in the future.

Update: Trend Micro now lists the "download Drupal 6.13" link as a "malicious website". I'm getting really irritated with them.