Cybereason icon just appeared on status bar

fgvieira · 27 July 2022 08:59

I’ve been using Manjaro for a while, but last week a new icon appeared on the status bar. When right-clicking it says it is from Cybereason, but I did not install it.

Try to figure out from which package it comes from, but no good…
Is this legit?
Any idea of what this might be and how to remove it?

Thanks,

Aragorn · 27 July 2022 09:08

Welcome to the forum!

To the best of my knowledge, this is neither a package from the Manjaro repositories nor from the AUR.

It appears to be related to intercepting and preventing ransomware.

maycne.sonahoz · 27 July 2022 17:12

Still, it’s weird it appears out of thin air. Is your computer part of a company network or something?

whereis cybereason

fgvieira · 1 September 2022 10:47

The computer is in a company network, but I am the only one with su access.

[g-12-l0002]$ whereis cybereason
cybereason:[g-12-l0002]$

maycne.sonahoz · 1 September 2022 11:30

This shows it is not in PATH, meaning it can only be launched directly from its executable.
Considering your computer is in a company network, and that that software is security oriented, your IT department might know something about it.

fgvieira · 1 September 2022 13:46

But they do not have any access to my machine. I am the only user and the only one with root access.

omano · 1 September 2022 14:05

Are you sure about that?

fgvieira · 6 September 2022 07:26

Just talked with the IT department, and they do not use Cybereason.
Is there a way to see where the program is installed? It does not show up under “Add/Remove Software”.

maycne.sonahoz · 6 September 2022 08:58

Two ways i think of:

Search the whole system for something called cybereason (supposing the name is actually used); it can take some time

find / -name cybereason

Check the processes in the Task Manager; that icon in the tray should have a running process. If you don’t find the name, you can also look for unusual processes – though many running in the background are usually unknown from the casual user.

fgvieira · 6 September 2022 09:19

No file found with name cybereason.

Also tried to find the PID from the open window, but the task manager could not find it (can not upload screenshot).

omano · 6 September 2022 10:10

If the programs starts on boot, then check the autostart folder for startup files at ~/.config/autostart/ for example, or system wide folder like /etc/xdg/autostart/, when you find it you could start going upstream and find if a package owns files and so on, but start from here, find what autostarts what on boot.

maycne.sonahoz · 6 September 2022 10:13

Did you set it to find processes from all users?

linux-aarhus · 6 September 2022 10:58

That may be - but you may have installed somehting which has installed it - the question is what .

The when can perhaps be looked up by examining the pacman logs - but I doubt it - as cybereason is not in any Manjaro repo and neither in AUR - under another name maybe but that’s too little to go on.

Then it is likely located somewhere in your home. Open a terminal in your home folder and run

grep -rl 'cybereason'

If you get no results - there’s even more reason to be suspicious - in that case you need to get your IT to help you - it could be the result of a drive-by-attack which could not execute because it is a Linux system - no forum comment can help you - talk to IT about your worries.

fgvieira · 6 September 2022 13:38

Cannot really see anything suspicious:

$ ls -1 ~/.config/autostart/
blueman.desktop
megasync.desktop
xcape.desktop
xfce4-clipman-plugin-autostart.desktop
xfce4-settings-helper-autostart.desktop
xfce4-tips-autostart.desktop
xfce-panel-workaround.desktop
xfce-pbw.sh
xfconf-migration-4.6.desktop

$ ls -1 /etc/xdg/autostart/
at-spi-dbus-bus.desktop
blueman.desktop
gnome-keyring-pkcs11.desktop
gnome-keyring-secrets.desktop
gnome-keyring-ssh.desktop
light-locker.desktop
msm_notifier.desktop
nm-applet.desktop
pamac-tray-budgie.desktop
pamac-tray.desktop
print-applet.desktop
pulseaudio.desktop
snapshot-detect.desktop
xapp-sn-watcher.desktop
xfce4-clipman-plugin-autostart.desktop
xfce4-notifyd.desktop
xfce4-power-manager.desktop
xfce-polkit-gnome-authentication-agent-1.desktop
xfsettingsd.desktop
xiccd.desktop
xscreensaver.desktop

As for the:

grep -rl 'cybereason'

it only found browser cache related files (Firefox and Brave) and .config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml with the content:

    <property name="plugin-13" type="string" value="systray">
      <property name="known-legacy-items" type="array">
        <value type="string" value="cybereason
your pc is protected"/>
        <value type="string" value="cybereason your pc is protected"/>
        <value type="string" value="com.cisco.anyconnect.gui"/>
        <value type="string" value="consider changing your password"/>
        <value type="string" value="thunar"/>
        <value type="string" value="idle"/>
        <value type="string" value="collecting data"/>
        <value type="string" value="pamac-tray"/>
        <value type="string" value="networkmanager applet"/>
        <value type="string" value="clipman"/>
      </property>
      <property name="single-row" type="bool" value="true"/>
      <property name="hide-new-items" type="bool" value="false"/>
      <property name="square-icons" type="bool" value="false"/>
      <property name="hidden-legacy-items" type="array">
      </property>
      <property name="symbolic-icons" type="bool" value="false"/>
      <property name="menu-is-primary" type="bool" value="false"/>
      <property name="icon-size" type="int" value="22"/>
      <property name="known-items" type="array">
        <value type="string" value="vlc"/>
        <value type="string" value="MEGAsync"/>
        <value type="string" value="io.github.quodlibet.QuodLibet-1"/>
        <value type="string" value="MSM Notifier"/>
      </property>
      <property name="hidden-items" type="array">
      </property>
    </property>

Here goes the screenshot, in case it helps:
https://paste.pics/7d33ff5790931ce8a5512b4652608906

maycne.sonahoz · 6 September 2022 14:39

Also have you simply read through the list of running processes?

MAYBL8 · 6 September 2022 16:03

Doing some reading on cybereason .
Question
Do you have Windows also installed on this computer?
If so is it possible you installed some kind of Ransomware Protection?
Cybereason is included in some Ransomware protection software.

omano · 6 September 2022 17:29

fgvieira:

Cannot really see anything suspicious:

$ ls -1 ~/.config/autostart/
blueman.desktop
megasync.desktop
xcape.desktop
xfce4-clipman-plugin-autostart.desktop
xfce4-settings-helper-autostart.desktop
xfce4-tips-autostart.desktop
xfce-panel-workaround.desktop
xfce-pbw.sh
xfconf-migration-4.6.desktop

Did you check what each file does?

Strit · 6 September 2022 17:44

You can try removing these lines from that file and relog:

<value type="string" value="cybereason
your pc is protected"/>
        <value type="string" value="cybereason your pc is protected"/>

What’s the content of your /opt folder?
Someone did install this on your machine. Question is if it was intentional or not. Cyberreason only seems to have Pro and above plans, which I assume costs money.

fgvieira · 7 September 2022 07:57

There are a lot of processes, but nothing that resembles cybereason. And no, Win is not installed on this computer.

@omano looked into the files, but it seems that it is bluetooth manager, MegaSync, and a bunch of xfce processes. In the general one, there are also some gnome processes (even though I don’t thing I have gnome installed), notifications, software update, print, and audio.

@Strit
Will try renoving those lines.

My /opt folder only has:

$ ll /opt/
total 8.0K
drwxr-xr-x 3 root root 4.0K May 17 11:48 cisco/
drwxr-xr-x 3 root root 4.0K Mar 16 09:47 Citrix/

Cisco folder is from AnyConnect, that I uninstalled recently (thought it could be the one that installed Cybereason).
Citrix folder is from Citrix client.

fgvieira · 8 September 2022 07:46

Nope, that did not help… and the lines came up again.