I figured out the reason that Trend Micro was flagging my new application as malware with the HEU_AEGIS_CRYPT event. Apparently this only seems to happen with a console application and not with a Windows GUI application.
The default configuration for DI API involves generating log files under the %ProgramData%\SAP\SAP Business One\Log\SAP Business One\ directory. DI API starts writing these log files when you open a connection to an SAP company database. Apparently enough of these files are generated to convince Trend Micro’s behavior detection that you’re running some sort of ransomware.
I temporarily disabled DI API logging on the server where I had the new application running using the instructions in SAP Note 3406982. I backed up the b1LogConfig.xml file in the C:\Program Files\SAP\SAP Business One DI API\Conf directory and replaced it with the contents described in that note.
If Trend Micro can be configured to exclude the %ProgramData%\SAP\SAP Business One\Log\SAP Business One\ directory, then Trend Micro shouldn’t be shutting down this application.
The client has now added an exclusion for this directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.