ArcGIS Pro Install Failure 2.1 - 2.3.x and McAffee rules

4060
12
Jump to solution
06-28-2019 08:52 AM
DavidColey
Frequent Contributor

Hello - Warning! This post contains profanity!

We just discovered something very disturbing in the installation packages preventing Pro installs of 2.1  - 2.3.x.  Running the install as an administrator from the installation package, or running an un-install from control panel on windows 10 machines - both the install and and uninstalls fail in a very disturbing location.

Specifically, the install / uninstall fails at this location during the runtime:

C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\notebook\static\components\codemirror\mode\brainf**k\brainf**k.js

I'm sure everyone understands what letters the '**' is referring to. 

The file is inaccessible through any js or readers like notepad ++, even with admin rights.  Regardless, I wouldn't care that the name contains profanity only that this is where install - uninstalls are failing!

First off, what developer would ever name a directory and a js file with that name??!!

Someone at esri needs to look into this ASAP!

Thanks

Tags (1)
1 Solution

Accepted Solutions
DavidWatkins
Esri Contributor

Thank you for bringing this to our attention.  We have been including an open source Python merge module that contains a folder/file named with an offensive English word for multiple releases.  Esri apologizes for this.  This is not malware and we are not aware of any security vulnerabilities caused by this file at this time.

 

For more information on this file please see the following.  We will release more information as it becomes available.

- David Watkins, ArcGIS Pro Product Manager

View solution in original post

12 Replies
DanPatterson_Retired
MVP Emeritus

perhaps it is the javascript version of BF (a minimalist language with a variety of derivatives.

https://en.wikipedia.org/wiki/JS****

but yes... it shouldn't exist in the install

Kory Kramer‌ could you pass this on … I am sure someone is familiar with BF

0 Kudos
DavidColey
Frequent Contributor

Pardon me Dan, but wouldn't you agree that that's total BS, no pun intended . . . . regardless of the mal-name.

0 Kudos
DavidColey
Frequent Contributor

moreover, I can certainly see malware programs like McAffee seeing that name as a potential threat and thus fail the installs

DavidColey
Frequent Contributor

I can't even access the file in my cloned environment either.  We all have enough threats to deal with so if this was a joke of some sort it's not very funny

0 Kudos
DanPatterson_Retired
MVP Emeritus

Not sure what you mean as the BS.  BF has been around for some time.  Any of its variants aren't part of the install if is 'malware' or something else is involved, it shouldn't be there either.

In any case, I informed Kory and it is being dealt with.

Have a good weekend

0 Kudos
KoryKramer
Esri Community Moderator

Already did, but let's not jump to any conclusions about malware.  We'll have somebody look at the thread here...

0 Kudos
DavidColey
Frequent Contributor

Yes please do thanks

0 Kudos
DavidColey
Frequent Contributor

Right so ok this is not a hack and yes, the name is legit if 'esoteric'  But at the same time, the name violates a label rule in our enterprise McAffee.  We are working with our security team to make a specific exception for this pathway.  I am editing the title of this post.

ThomasColson
MVP Frequent Contributor

Greatest. Post. Ever. 

Check out C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\jupyterlab\staging\yarn.js line 91128, just be glad THAT text isn't part of the EULA! 

ESRI has little (no) control over the content/name of the Python Packages that get baked into the install.