ExcelDna.Integration version 1.5 incorrectly flagged as malware by Windows Defender

[gab...@velixo.com]

I would like to bring the following to the attention of the community: https://github.com/Excel-DNA/ExcelDna/issues/413

The Add-in Loader fails to initialize due to ExcelDna.Integration.dll getting flagged as malware by Windows Defender. Issue does not affect previous versions of ExcelDna.

<your file>.xll Add-In Loader

A problem occurred while the add-in was creating an isolated application domain and loading required assemblies.

The ExcelDna.ManagedHost.AddIninitialize.Initialize call failed.

The problem started happening today with the latest Windows Defender updates. I have reported this to Microsoft as a false positive already, but this is likely going to bite other ExcelDNA users here!

See here for VirusTotal report: https://www.virustotal.com/gui/file/02f05760666bda9018b95e442486c504cb67f02f5603406be55effc6dbf5c592/details

Screenshot of the error you or your users might start seeing here

[Govert van Drimmelen]

Hi Gabriel - thanks for the heads-up.

 

A few days ago the list of anti-virus vendors detecting a problem with the file was longer and Microsoft was not on the list (see the end of this thread https://github.com/Excel-DNA/ExcelDna/issues/403 ). Now it seems only Microsoft is having a problem. As you point out, the binary is the same as from the -rc1 version, so had been around for a while (since early June). On my machine with Defender the bad detection only happened with the update of signatures from yesterday to today.

 

I don't think it helps to make extra binaries - they just muddy the issue. Best is if the file is seen and reported as OK from many places.

 

I have no idea what one does with this except to allow the files on the machine ('Restore' them in Defender terms) and wait for the storm to pass.

It normally is no more than a day or two, in my experience so far.

 

-Govert

 

[Ben McMillan]

I've just got the same error

--
You received this message because you are subscribed to the Google Groups "Excel-DNA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/010301d7d5c2%24e37d4b50%24aa77e1f0%24%40gmail.com.

[Govert van Drimmelen]

If I have an Excel-DNA .xll add-in with no ExcelDna.Integration.dll in sight, the message (from Excel-DNA) appears when loading the add-in.

But the add-in still seems to load and work fine after that.

Is that what you see too?

 

It looks like the error is caused by the Microsoft Defender “Real-time protection” feature, which presumably sees that we’re loading that .dll file from the unpacked bits into memory.

But somehow it doesn’t actually stop the loading.

That seems like a failure on the Windows Defender – surely it intends to actually block that code from running.

Very weird.

 

Anyway, switching off the Real-time protection makes the spurious error go away.

 

This seems to be a good place to report the file as a false positive:

Submit a file for malware analysis - Microsoft Security Intelligence

 

You should probably upload the ExcelDna.Integration.dll file from the  packages\ExcelDna.Integration.1.5.0\lib\net452 directory in your project or solution.

(Even though this file is not actually present when the add-in is showing that error message.)

 

-Govert

To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/CA%2B-S5ZgOfTD7wxBZ%2BHG5dYj%3DctNCPb-Ps4EkyU89Q1rm7oPEGw%40mail.gmail.com.