Malicious behavior in QueenBee.exe

Mathiassn · January 7, 2021, 3:36pm

Hi all,

I’m experiencing that my Sophos antivirus blocks the queenbee thread.

Has anyone experienced similar and knows a fix?

EDIT: This was on the LBT example on annual daylight.

mostapha · January 7, 2021, 3:48pm

Hi @Mathiassn, this file is the entry point for queenbee command line interface. There is nothing malicious there.

Here is the pointer that creates the exe file when you run the pip install command.

github.com

pollination/queenbee/blob/1e000652478237ab28f432f8005b777787e93b53/setup.py#L25-L27


entry_points={
    "console_scripts": ["queenbee = queenbee.cli:main"]
},

and here is the source code of the command line interface:

Does it provide any other information on what is being flagged as malicious?

Mathiassn · January 7, 2021, 4:04pm

Thanks Mostapha, I’ll have to talk to our IT guys to get more info out of Sophos.

Hope you are all well despite Covid, fake news and riots!

mostapha · January 7, 2021, 4:13pm

All good here! Thank you for asking. Let us know where you end up with this and we can hopefully resolve it together. Cheers.

chris · January 7, 2021, 6:51pm

Hey @Mathiassn ,

Thanks for letting us know and for the moral support.

Would you mind running a quick test for us to see if the issue is specifically with the queenbee.exe or the Ladybug Tools CLI in general? The attached script will try to parse an SQL file from EnergyPlus using the honeybee CLI instead of IronPython code running directly in the component:

LBT_CLI_test.gh (15.7 KB)

Here’s a sample SQL file that you can use to test the Grasshopper file:
eplusout.sql (1.4 MB)

If it doesn’t succeed, please let us know the error message.

Mathiassn · January 8, 2021, 9:11am

I’ve got this from our IT guys:

CLI fra Queenbee: “c:\users\USERNAME\ladybug_tools\python\python.exe” “C:\Users\USERNAME\ladybug_tools\python\Scripts\queenbee.exe” luigi translate C:\Users\USERNAME\ladybug_tools\resources\recipes\honeybee_radiance_recipe\annual_daylight.yaml C:\Users\USERNAME\simulation\sample_model_grid\Radiance -i C:\Users\USERNAME\simulation\sample_model_grid\Radiance\annual-daylight-inputs.json --workers 5 --env RAYPATH=C:\Radiance\lib --env PATH=C:\Radiance\bin –run

Mathiassn · January 8, 2021, 9:17am

Hi Chris,

IT got the queenbee.exe whitelisted as it was a false positive.

After that I tried your example with no warnings from antivirus.

however im getting a gh msg, but not sure if that’s intended.

and I had to unblock the sql file.

chris · January 8, 2021, 8:32pm

Hey @Mathiassn ,

Sorry. I gave you an example that requires the latest development version of the plugin to work. Can you try the attached example, which should work in both the latest version and the last stable release (1.1.0)? You can use the same .sql file to test it as before.

LBT_CLI_test.gh (12.2 KB)

And, yes, what the IT guys gave you is the command that’s being run to execute the recipe.

Mathiassn · January 14, 2021, 3:48pm

Looks like it works, but we whitelisted queenbee, I’m unsure if it will work without the whitelist tbh.