Sophos classifies prl_vm_app as Ramsonware

Discussion in 'Linux Guest OS Discussion' started by DietrichL3, Aug 6, 2021.

  1. DietrichL3

    DietrichL3 Bit Poster

    Messages:
    7
    Dear all,

    For months I have had the Problem that Sophos running in the background as a virus scanner classifies prl_vm_app as ransomware. This means that shared folders are disconnected. After reboot, the machine sometimes works again but is very slow. For example, it often takes seconds to talk keyboard inputs.

    The file resulting in a detection is prl_vm_app with the path:
    /Applications/Parallels\ Desktop.app/Contents/MacOS/Parallels\ VM.app/Contents/MacOS/prl_vm_app

    #>
    Code:
     ls -l  prl_vm_app
    -rwxr-xr-x 1 root wheel 16885312 26 Jul 12:58 prl_vm_app*
    and sum is 52440

    I'm running Linux Fedora 30 as guest with kernel 5.2.5 and MacOs10.15.

    The problem started first after I applied a kernel path
    https://forum.parallels.com/threads...d-folders-mount-with-exec.352815/#post-885756
    and I thought this might be the reason for the detection. However, I returned to my old 5.2.5 kernel, but the problem is still there.

    I could not accept the error in the virus scanner since this is a machine from a research institute where I do not have permission to ignore the detection.

    I'm aware that other Parallel programs were already detected wrongly by Sophos, but could not find anything about prl_vm_app. Any suggestions and help is appreciated since this behavior virtually switches off all my virtual Boxes.

    Regards
    DL
     
  2. (GalaxyMaster)

    (GalaxyMaster) Kilo Poster

    Messages:
    90
    @DietrichL3, prl_vm_app (and anything that is located in /Applications/) is the host system. Any patches you apply to the Parallel Tools and kernels are in the guest systems and are irrelevant to the issue you have with Sophos. The prl_vm_app process represents the virtual machine you are running -- it is the entry point to the VM.
     

Share This Page