Recently, my company changed the endpoint protection software to Trend Micro Office scan. Unfortunately, the endpoint software from time to time detects that plugin_host.exe from ST 3, Build 3144 as an offending process and the file each time got deleted.

The violation is called: “unauthorized file encryption”. Any idea how to prevent that?

The latest detections points to the encryption/decryption of a Monokai Pro icon. Maybe the external theme Monokai Pro by @monokai could be a reason.

Maybe @monokai could say something to that. Do you pack/unpack or encrypt some content of your time during installation/update/runtime?

Even without Monokai Pro I got the Trend Micro Office scan detections. This time I tried to install A File Icon and DA UI.

On one occasion the behavioural detection sees as a target for the description within A File icon patches\general\single\file_type_actionscript.png.

Maybe @ihodev knows more. My initial ideas is still that some packages pack/unpack or do similar stuff. Is that for A File Icon true as well?

Corrected typo from @molokai to @monokai. Post the mention again because I am not sure if a notification is triggered by editing a mention.

That is strange. I can say that Monokai Pro doesn’t pack / unpack or encrypt / decrypt any icons.

It’s not Monokai. It’s most likely crappy antivirus heuristics. Mine does the same thing…I think my work uses symantec. It’s possible you could report it to tend micro and they might put in an ignore for it in the future. I’m not the biggest fan of Trend Micro or Symantec, but I use what my work puts on my machine.

Thanks for your feedback. It was just an idea. Maybe during update of packages and escpecially themes with icons there is something that triggers the heuristic engine of my anti virus solution. Nevertheless that behaviour is quite annoying.

In short, A File Icon does nothing more than PackageResourceViewer in terms of extracting the icons. If you install A File Icon via Package Control, it downloads A File Icon.sublime-package file (this file is just zip with .sublime-package extension), the plugin extracts some files (icons, syntax aliases) from it, nothing more, and only standard python stuff is used.

So, I completely agree with @facelessuser

Maybe. I try on my work machines to use ST with Package Control disabled. So I can’t trigger any updates or installation unintentionally.

What would be the best way to disable Package Control? Add it to ignored ignored_packages?

I think yes Also you can use ST without it, however that requires manual installation of all packages and if some package needs dependencies, the way to add them is not so obvious.

I think you could also keep it enabled but turn off auto_upgrade and install_missing in the PackageControl settings and then it won’t try to upgrade/install anything unless you tell it to. That might be handy since you can use it for other things like enabling and disabling packages interactively.

Thanks. I might try that.

Currently with Package Control disabled it seems to prevent that plugin_host.exe got deleted by Trend Micro.