Cybereason icon just appeared on status bar

I’ve been using Manjaro for a while, but last week a new icon appeared on the status bar. When right-clicking it says it is from Cybereason, but I did not install it.

Try to figure out from which package it comes from, but no good…
Is this legit?
Any idea of what this might be and how to remove it?


Welcome to the forum!

To the best of my knowledge, this is neither a package from the Manjaro repositories nor from the AUR.

It appears to be related to intercepting and preventing ransomware. :arrow_down:

1 Like

Still, it’s weird it appears out of thin air. Is your computer part of a company network or something?

whereis cybereason

The computer is in a company network, but I am the only one with su access.

[g-12-l0002]$ whereis cybereason

This shows it is not in PATH, meaning it can only be launched directly from its executable.
Considering your computer is in a company network, and that that software is security oriented, your IT department might know something about it.

But they do not have any access to my machine. I am the only user and the only one with root access.

Are you sure about that?

Just talked with the IT department, and they do not use Cybereason.
Is there a way to see where the program is installed? It does not show up under “Add/Remove Software”.

Two ways i think of:

  • Search the whole system for something called cybereason (supposing the name is actually used); it can take some time
find / -name cybereason
  • Check the processes in the Task Manager; that icon in the tray should have a running process. If you don’t find the name, you can also look for unusual processes – though many running in the background are usually unknown from the casual user.

No file found with name cybereason.

Also tried to find the PID from the open window, but the task manager could not find it (can not upload screenshot).

If the programs starts on boot, then check the autostart folder for startup files at ~/.config/autostart/ for example, or system wide folder like /etc/xdg/autostart/, when you find it you could start going upstream and find if a package owns files and so on, but start from here, find what autostarts what on boot.

Did you set it to find processes from all users?

That may be - but you may have installed somehting which has installed it - the question is what .

The when can perhaps be looked up by examining the pacman logs - but I doubt it - as cybereason is not in any Manjaro repo and neither in AUR - under another name maybe but that’s too little to go on.

Then it is likely located somewhere in your home. Open a terminal in your home folder and run

grep -rl 'cybereason'

If you get no results - there’s even more reason to be suspicious - in that case you need to get your IT to help you - it could be the result of a drive-by-attack which could not execute because it is a Linux system - no forum comment can help you - talk to IT about your worries.

Cannot really see anything suspicious:

$ ls -1 ~/.config/autostart/

$ ls -1 /etc/xdg/autostart/

As for the:

grep -rl 'cybereason'

it only found browser cache related files (Firefox and Brave) and .config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml with the content:

    <property name="plugin-13" type="string" value="systray">
      <property name="known-legacy-items" type="array">
        <value type="string" value="cybereason
your pc is protected"/>
        <value type="string" value="cybereason your pc is protected"/>
        <value type="string" value=""/>
        <value type="string" value="consider changing your password"/>
        <value type="string" value="thunar"/>
        <value type="string" value="idle"/>
        <value type="string" value="collecting data"/>
        <value type="string" value="pamac-tray"/>
        <value type="string" value="networkmanager applet"/>
        <value type="string" value="clipman"/>
      <property name="single-row" type="bool" value="true"/>
      <property name="hide-new-items" type="bool" value="false"/>
      <property name="square-icons" type="bool" value="false"/>
      <property name="hidden-legacy-items" type="array">
      <property name="symbolic-icons" type="bool" value="false"/>
      <property name="menu-is-primary" type="bool" value="false"/>
      <property name="icon-size" type="int" value="22"/>
      <property name="known-items" type="array">
        <value type="string" value="vlc"/>
        <value type="string" value="MEGAsync"/>
        <value type="string" value="io.github.quodlibet.QuodLibet-1"/>
        <value type="string" value="MSM Notifier"/>
      <property name="hidden-items" type="array">

Here goes the screenshot, in case it helps:

Also have you simply read through the list of running processes?

Doing some reading on cybereason .
Do you have Windows also installed on this computer?
If so is it possible you installed some kind of Ransomware Protection?
Cybereason is included in some Ransomware protection software.

Did you check what each file does?

You can try removing these lines from that file and relog:

<value type="string" value="cybereason
your pc is protected"/>
        <value type="string" value="cybereason your pc is protected"/>

What’s the content of your /opt folder?
Someone did install this on your machine. Question is if it was intentional or not. Cyberreason only seems to have Pro and above plans, which I assume costs money.

There are a lot of processes, but nothing that resembles cybereason. And no, Win is not installed on this computer.

@omano looked into the files, but it seems that it is bluetooth manager, MegaSync, and a bunch of xfce processes. In the general one, there are also some gnome processes (even though I don’t thing I have gnome installed), notifications, software update, print, and audio.

Will try renoving those lines.

My /opt folder only has:

$ ll /opt/
total 8.0K
drwxr-xr-x 3 root root 4.0K May 17 11:48 cisco/
drwxr-xr-x 3 root root 4.0K Mar 16 09:47 Citrix/

Cisco folder is from AnyConnect, that I uninstalled recently (thought it could be the one that installed Cybereason).
Citrix folder is from Citrix client.

Nope, that did not help… and the lines came up again.