Symantec Endpoint Protection False Positive

[Stefano-VLN]

The "*-packed.xll" file is identified as "Heur.AdvML.B" and thus removed.

Any advice on how to proceed?

Thank you

[govert]

@Stefano-VLN It's very frustrating - you should definitely report the problem to your anti-virus vendor.

From the Excel-DNA side, we've made some changes to the packing that might help - you can try the pre-release v 1.6.0-Preview2 package from NuGet. We're still working on a matching release for the extension libraries.

[govert]

@Stefano-VLN It's very frustrating - you should definitely report the problem to your anti-virus vendor.

From the Excel-DNA side, we've made some changes to the packing that might help - you can try the pre-release v 1.6.0-Preview2 package from NuGet. We're still working on a matching release for the extension libraries.

[Stefano-VLN]

Unfortunately updating to the pre-release version didn't help, same false positive :(

[govert]

Is the error when building, or is the packed file identified as the problem? Some people have also reported success after signing the resulting add-in files.

[Stefano-VLN]

The building seems ok, the "AddIn-packed.xll" file is correctly created and shortly after disappears as it is recognized by the AV. Funnily enough, the "AddIn64-packed.xll" is not flagged as a virus.

How could I sign the add-in files?

[govert]

This might help a bit https://groups.google.com/g/exceldna/c/38CTXyqRbNA/m/kVLkfZCBBgAJ

[andrewkittredge]

We (Calcbench) purchase a Comodo code signing certificate and sign the -AddIn64.xll and .msi generated by WIX. We have not had anti-virus problems in a while.

We use the below line as a in our wixproj file -

<PreBuildEvent>"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /v /t http://timestamp.comodoca.com/authenticode /fd SHA256 /sha1 ....9c8205 ..\..\..\CalcbenchExcel\bin\Debug\CalcbenchExcel-AddIn64.xll</PreBuildEvent>

[rkapl123]

Dear Govert!

I've got the same issue now with Trellix/McAfee virus scanner: After packing the scanner immediately notifies that the packed xll contains a Trojan-FUTW!

Isn't there any chance to modify the packing mechanism (different algorithm)?

I tried also with 1.6.0 and setting both ExcelDnaPackCompressResources Condition and ExcelDnaPackRunMultithreaded to false but that didn't help as well...

-regards, Roland

[govert]

@rkapl123 In addition to ExcelDnaCompressResources you might go further and set <ExcelDnaUnpack>true</ExcelDnaUnpack> which will publish the add-in with no embedded assemblies at all - all the libraries are loose files next to the .xll file.

However, I no longer think the problem is the packing mechanism, or that it helps to side-step the anti-virus checks by making the packing more obfuscated. The anti-virus is not really detecting that the add-in contains a trojan, but is recognizing that the add-in looks similar to a malicious trojan-containing add-in. This recognition check may be based purely on the native code - it's just saying the add-in looks similar to a known malicious add-in that downloads and runs malicious code. If your anti-virus software thinks that all Excel-DNA add-ins are malicious (because some are), and hence blocks them, then you're going to have a hard time hiding the fact that your add-in is made with Excel-DNA. Best is to try to engage your anti-virus vendor and try to understand what they really need. See https://groups.google.com/g/exceldna/c/Tz2IHKIEziM/m/c-E_36p0CAAJ for a discussion like that. I'm happy to help if your anti-virus vendor has specific suggestions.