Hi Gareth,
Thank you for reporting this.
I don’t seem to have this problem with my Windows Defender – maybe you can add some version and other information to track things.
I don’t know whether Defender can tell which library in the Excel process is writing the temp file, so maybe you can also check whether writing to a temp file from VBA is also blocked. I’m guessing these are ongoing attempts to stop Excel malware vectors, including .xll add-ins, xlam files etc. from downloading malware to the machine.
Are you targeting .NET Framework or .NET 6 in this context?
When targeting .NET Framework, I think we would often not write any files at all. The .dna file, assemblies etc. are all loaded from memory. The one exception is the .config file – if it is embedded in the add-in, it will be written to a temp file when loading. You can prevent that by not having a config file in your project at all (maybe doing configuration from code, if possible) or by putting a .xll.config file next to the add-in. Then I think it won’t try to persist the file from resources.
When targeting .NET 6 we write some other temp files during startup. Unfortunately the .NET 6 hosting API is much less friendly and flexible than .NET Framework, and we need some extra bits. I’m not sure there is an option here other than adding an option to ship a bunch of loose files with the add-in. I hesitate to do that, because it would endanger the one real security measure we can offer add-ins, which is to cooperate with the Office signing.
I welcome any more info you can offer.
-Govert
--
You received this message because you are subscribed to the Google Groups "Excel-DNA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/081a14dc-2851-4a44-9a0d-db749e642b95n%40googlegroups.com.
Hi Govert
To clarify, it’s not Windows Defender, it’s Defender Enterprise. I’m targeting .Net Framework, not .Net 6. There is no .config file in my projects.
I found this a few days back, which makes for interesting reading: Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies
This is what the user sees:
Many thanks,
Gareth.
Hi Gareth,
Ah – I see there is stuff being compiled at runtime, which should be easy to avoid.
This should only happen if you have some code in the .dna file, though it might be interpreted that way by mistake.
Maybe you can post the .dna file, or go through it and see what needs to be moved around or cleaned up?
You want to get to something like this:
<?xml version="1.0" encoding="utf-8"?>
<DnaLibrary Name="My Special Add-In" RuntimeVersion="v4.0" xmlns=http://schemas.excel-dna.net/addin/2020/07/dnalibrary>
<ExternalLibrary Path="MyFunctions.dll" ExplicitExports="false" LoadFromBytes="true" Pack="true" IncludePdb="false" />
<Reference Path="Another.Library.dll" Pack="true" />
</DnaLibrary>
If you have ribbon markup in there, it should not be a problem but could easily be moved into the code.
Maybe I’m missing something.
-Govert
From: exce...@googlegroups.com <exce...@googlegroups.com> On Behalf Of Gareth Hayter
Sent: 23 March 2022 23:52
To: Excel-DNA <exce...@googlegroups.com>
Subject: Re: [ExcelDna] Re: Excel-DNA 1.6 - .NET 6 / PackageReference / Anti-virus
Hi Govert
To clarify, it’s not Windows Defender, it’s Defender Enterprise. I’m targeting .Net Framework, not .Net 6. There is no .config file in my projects.
I found this a few days back, which makes for interesting reading: Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies
This is what the user sees:
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/0db457ef-f960-4241-a402-1e121e726475n%40googlegroups.com.
Hi Gareth,
There are a few things to clean up.
<DnaLibrary Name="XXXXXXX" Description="XXXXXXX" RuntimeVersion="v4.0">
<ExternalLibrary Path="XXXXXXX.dll" ExplicitExports="true" LoadFromBytes="true" Pack="true" IncludePdb="true" />
<Image Name="imgWarning_32" Path="warning_32.png" Pack="true" />
<Image Name="imgLighthouse_32" Path="Sheet Tabs Layout_32-px.png" Pack="true" />
<Image Name="imgShortcuts_32" Path="gear_32.png" Pack="true" />
<Image Name="imgUpdate_32" Path="internet_download_32.png" Pack="true" />
<Image Name="imgSwitch_32" Path="switch_32.png" Pack="true" />
</DnaLibrary>
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/b7f057e4-e6b3-4356-a199-b34b617116c7n%40googlegroups.com.
Hi Kevin,
Can you confirm exactly what anti-virus you are using?
Can you show any details about which files are being detected / quarantined – only the packed .xll files or the ExcelDna.Integration.dll file as well?
Have you reported the false positive to the anti-virus vendor?
We are working on an option to make a loose-files type of add-in, which means there is no packing at all, hopefully avoiding one of the common anti-virus heuristics.
That might still not help in the build environment, where the contents of the NuGet package might get blocked.
But it could help to give a distribution option in some environments.
That will be coming in the next preview version in a few weeks’ time.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/625bbe9d-38b1-4a96-904f-38bb0eeacf81n%40googlegroups.com.
Hello Kevin,
I have been struggling with the CloudStrike Falcon product also, and have gone tough discussions with our security department ☹
For deployment, we have now whitelisted the xll.
Before that, Crowdstrike did not allow the copying of the xll onto our client machines.
However, since a few weeks, I found that a combination of signing the xll with our corporate certificate, and not compressing the components into the xll satifies Crowdstrike.
For not compressing, I use : ExcelDnaPack xxxxxxxxx.Dna /NoCompression
We will now remove the whitelisting and the signed, non-compressed xll can be deployed.
For development on my machine, that remains to date a nightmare.
I cant use nugent at all and need to install ExcelDNA dll’s in another way.
I had to whitelist my development folder also.
Our security department says that this is because all Excel DNA dll’s are not properly signed, which I cannot confirm.
I have gone through a nightmare in convincing our security department that ExcelDNA is ok.
But this whole virus issue is surely putting some issues around using ExcelDNA in a commercial environment – think we must resolve this…
Kind regards – please reply with your Crowdstrike experience as needed.
guido