Attack surface reduction

125 views
Skip to first unread message

Mike Sullivan

unread,
Jan 8, 2024, 10:37:09 AM1/8/24
to Excel-DNA
In lock-down corporate IT environments, there is a restriction that prevents Excel-DNA from creating executables, notably:

Blocked by: Attack surface resuction
Rule: Block Office apps from creating executable content
Affected items: C:\Users\xxxx\AppData\Local\Temp\ExcelDna.Host\<guid>\ExcelDna.ManagedHost.dll

Is this expansion of the XLL necessary or can I send unpacked dlls in my installation? Is there documentation or notes somewhere?

Mike

Govert van Drimmelen

unread,
Jan 9, 2024, 2:06:15 AM1/9/24
to exce...@googlegroups.com

Hi Mike,

 

It is a limitation under .NET 6+ that we need the initially loaded managed assembly to be on disk, with the resulting plan the one you report, where we extract the managed host assembly from a resource entry in the .xll to a temporary directory. The other file copied to the tempo directory is ‘ExcelDna.Host.runtimeconfig.json’, which is not executable.

Under .NET Framework 4.x we can load everything from memory, so we don’t have this issue.

 

As you suggest, one option is to build an ‘unpacked’ add-in, which contains no embedded resources but just a collection of loose files.

To do this, you add the following property to your project file:

    <ExcelDnaUnpack>true</ExcelDnaUnpack>

After rebuilding, your ‘publish’ directory will have the loose assemblies, including ExcelDna.ManagedHost.dll.

 

If you keep the ExcelDna.ManagedHost.dll file in another directory, and then rebuild without the ‘ExcelDnaUnpack’ option, we’ll have a packed single file add-in again. Copying only the ExcelDna.ManagedHost.dll you kept next to it will give you an add-in that loads without copying the executable file to the temp directory. So that’s a kind of hybrid solution.

 

-Govert

--
You received this message because you are subscribed to the Google Groups "Excel-DNA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/acdcc260-3a2e-4000-a2e7-0939e7fe30e6n%40googlegroups.com.

Mike Sullivan

unread,
Jan 9, 2024, 5:14:43 PM1/9/24
to exce...@googlegroups.com
Hi Govert,

It is a kind of a pain to implement, but it works. 
Thank you for the quick response and workaround. 

m

You received this message because you are subscribed to a topic in the Google Groups "Excel-DNA" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/exceldna/4oRoCNDeZ2c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/011801da42ca%2450d90d80%24f28b2880%24%40gmail.com.
Reply all
Reply to author
Forward
0 new messages