Open Stefano-VLN opened 2 years ago
@Stefano-VLN It's very frustrating - you should definitely report the problem to your anti-virus vendor.
From the Excel-DNA side, we've made some changes to the packing that might help - you can try the pre-release v 1.6.0-Preview2 package from NuGet. We're still working on a matching release for the extension libraries.
@Stefano-VLN It's very frustrating - you should definitely report the problem to your anti-virus vendor.
From the Excel-DNA side, we've made some changes to the packing that might help - you can try the pre-release v 1.6.0-Preview2 package from NuGet. We're still working on a matching release for the extension libraries.
Unfortunately updating to the pre-release version didn't help, same false positive :(
Is the error when building, or is the packed file identified as the problem? Some people have also reported success after signing the resulting add-in files.
The building seems ok, the "AddIn-packed.xll" file is correctly created and shortly after disappears as it is recognized by the AV. Funnily enough, the "AddIn64-packed.xll" is not flagged as a virus.
How could I sign the add-in files?
This might help a bit https://groups.google.com/g/exceldna/c/38CTXyqRbNA/m/kVLkfZCBBgAJ
We (Calcbench) purchase a Comodo code signing certificate and sign the -AddIn64.xll and .msi generated by WIX. We have not had anti-virus problems in a while.
We use the below line as a
<PreBuildEvent>"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /v /t http://timestamp.comodoca.com/authenticode /fd SHA256 /sha1 ....9c8205 ..\..\..\CalcbenchExcel\bin\Debug\CalcbenchExcel-AddIn64.xll</PreBuildEvent>
Dear Govert!
I've got the same issue now with Trellix/McAfee virus scanner: After packing the scanner immediately notifies that the packed xll contains a Trojan-FUTW!
Isn't there any chance to modify the packing mechanism (different algorithm)?
I tried also with 1.6.0 and setting both ExcelDnaPackCompressResources Condition and ExcelDnaPackRunMultithreaded to false but that didn't help as well...
-regards, Roland
@rkapl123 In addition to ExcelDnaCompressResources
you might go further and set <ExcelDnaUnpack>true</ExcelDnaUnpack>
which will publish the add-in with no embedded assemblies at all - all the libraries are loose files next to the .xll file.
However, I no longer think the problem is the packing mechanism, or that it helps to side-step the anti-virus checks by making the packing more obfuscated. The anti-virus is not really detecting that the add-in contains a trojan, but is recognizing that the add-in looks similar to a malicious trojan-containing add-in. This recognition check may be based purely on the native code - it's just saying the add-in looks similar to a known malicious add-in that downloads and runs malicious code. If your anti-virus software thinks that all Excel-DNA add-ins are malicious (because some are), and hence blocks them, then you're going to have a hard time hiding the fact that your add-in is made with Excel-DNA. Best is to try to engage your anti-virus vendor and try to understand what they really need. See https://groups.google.com/g/exceldna/c/Tz2IHKIEziM/m/c-E_36p0CAAJ for a discussion like that. I'm happy to help if your anti-virus vendor has specific suggestions.
The "*-packed.xll" file is identified as "Heur.AdvML.B" and thus removed.
Any advice on how to proceed?
Thank you