By default, Maya executes a script called userSetup.py (or .mel ) every time it launches. While this is incredibly useful for initializing pipeline tools and custom menus, it is also a primary target for malware. A "Secure User Setup" approach involves:
Preferences ➡️ Security ➡️ Uncheck: Read and execute 'userSetup' scripts
Prevents common Maya-specific viruses (like PhysXPluginStun ) from persisting in your environment.
import hashlib def generate_file_hash(file_path): sha256_hash = hashlib.sha256() with open(file_path, "rb") as f: for byte_block in iter(lambda: f.read(4096), b""): sha256_hash.update(byte_block) return sha256_hash.hexdigest() # Example usage to find your target hash print(generate_file_hash("/net/pipeline/prod/userSetup_core.py")) Use code with caution. Step 2: Deploy the Local Bootstrapper
Checksum verification uses algorithms like SHA-256 to generate a unique digital fingerprint for a file. If a single character in the script changes, the fingerprint changes, and the execution is blocked. The Secure Boot Architecture maya secure user setup checksum verification
Maya looks for userSetup.py and userSetup.mel in specific scripts directories. These include the local user preferences folder and paths defined in the MAYA_SCRIPT_PATH or PYTHONPATH .
One critical vulnerability point is the userSetup.py or userSetup.mel file. These scripts execute automatically when Maya boots. If a malicious actor or a corrupted repository alters these files, arbitrary code can run across an entire studio network.
Checksum verification uses cryptographic hash functions (such as SHA-256) to generate a unique, fixed-size string of characters representing the exact contents of a file.
(not recommended for production):
Only allow plugins from trusted, signed locations. Benefits of This Approach
When downloading Maya from the Autodesk Account portal or an authorized reseller, the vendor typically provides a checksum value (usually SHA-256) for the installer executable or archive. This is your "Source of Truth."
If you want to customize this security setup further, tell me:
Manually updating hardcoded hash strings in your bootstrap file creates workflow friction. Integrate hash generation into your studio's deployment pipeline. When a developer pushes an update to userSetup_core.py , the CI/CD pipeline should automatically calculate the new hash and write it to a signed configuration file or update the bootstrapper deployment. 2. Lock Down File Permissions By default, Maya executes a script called userSetup
When a checksum mismatch occurs, do not just block execution locally. Program your verification script to send a silent webhook or log payload to a centralized monitoring system (like Splunk or ELK stack). This allows security teams to instantly detect if an artist is attempting to install an unauthorized tool or if an active malware strain is attempting to propagate through the network. Conclusion
Beyond code adjustments, you must configure Maya's internal security preferences to prevent malicious scene files from executing embedded script nodes. 1. Enable Native Script Node Security
For automated provisioning (Terraform, Ansible, etc.), include checksum verification as a validation step:
If you need a script to existing infected files The Secure Boot Architecture Maya looks for userSetup