malicious behavior alert when publishing

I received an alert from my desktop virus/malware scanner that an executable within Storyline 360 was flagged and is being blocked.

It happened when publishing a course and said "Malicious Behavior. Ransomware blocked in C:\Program Files (x86)\Articulate\360\Storyline\pngcrush.exe".

Screen image attached.

Has this happened to anyone else?
Anyone know what affect this might have on publishing?

I did submit a case already: number 01043287

19 Replies
Ashley Terwilliger

Thanks Russell for reaching out here and sharing your case #! I see that Eloisa shared some steps with your about our network endpoints and ports that should be enabled, and the steps to uninstall and reinstall the Articulate 360 software. Let us know if your admin or IT team are able to assist with that and if it resolves that error message for you!  

Gary Scott

Is there any documentation on this that could be shared with my IT department to help ease any concerns and maybe help them go towards whitelisting this or removing it from the scan? I currently have an IT swat team arrive at my desk within minutes after I have published any content which causes me to lose access to my system for 30 minutes or so while they are investigating the warning.

Cheryl Hoffman

I experienced the same Sophos issue last week. We whitelisted the file, but published courses resulted in only the Storyline player and a black slide with a spinner in the center when using Google Chrome to view the story_html5.html file. IE and FF were fine - but we have to support all browsers with our published courses.

Installed a new hard drive (unrelated issue), and the issue went away for a few days - but now it's back. I believe Sophos somehow is modifying the registry. I have a ticket open with our IT department. Running SL3.

Ashley Terwilliger

🍹🏝 <-- not the real thing, but the best I can do Cheryl.  

If you're publishing for Web you'd see the story_html5.html file, but publishing for LMS you'd want to point to the index.html file. So you'll want to make sure you're using the right publish setting for the environment where you'll upload it. Also, check what version of each browser you're using and if there are any pending updates. 

Let us know if you need anything else! 

Cheryl Hoffman

Thanks!  I published it the same way I always do. I'm not on the LMS team, so they do their thing, and I do mine. I tell them where the folder is, and they grab it and load it.

I just use story_html5.html to run through the course after publishing to make sure everything's functioning before I hand it over to the LMS team.

Browsers are all up-to-date.

Here's the latest on some troubleshooting I've done:

The course misbehaves in Chrome when I use story_html5.html, but works fine in FF and IE.

The course behaves perfectly in Chrome and FF via the LMS, but is totally blank in IE.

I performed the same test on a few courses published before this Sophos nightmare began, and they are all fine using story_html5.html AND the LMS in all 3 browsers.

Thanks for the cocktail, I need it!  :)

Ashley Terwilliger

I don't know a ton about Sophos (or really anything at all!) but I always recommend publishing for LMS, and pointing to that index.html file. Also, even if you've published for web and included the HTML5 only output you can point to the story.html file as that will default to HTML5 as well. 

When you're testing the story_html5.html are you doing that using the published files on your local drive? Chrome has a number of security restrictions in place with playing back content - so you may also be running into that. We've also seen blank content in IE11 when an LMS forces it into compatibility mode - that'd be something to ask your LMS team about! 

Cheryl Hoffman

Oh, wow - thanks for the info!  I will ask the LMS team about compatibility mode.

I just tried (from my hard drive) both index_lms.html and story.html, and I still get just the player border with a blank black 'slide' and the spinner in the center (it should also be showing the menu area, but isn't). That was with Chrome.

In IE, the index_lms.html file gives all sorts of nasty messages and popups, but eventually shows the player with the menu populated, but a blank (black) slide.

Maybe I'm just using the wrong file to preview the published content? Should I always use story.html? I'm unable to locate a file named "index.html".

Ashley Terwilliger

You're right - it's the index_lms.html (not index.html)! There's a lot of files in there and I confused them, sorry about that. 

Can you try uploading your content to another environment besides your LMS? If you've published for LMS look at using SCORM Cloud. Testing the published output locally can always cause these odd behaviors with local and browser security restrictions at play.