Why pack XLL? Are packed XLL more subject to Trojan false positives?

642 views
Skip to first unread message

Andrew Gilchrist

unread,
Mar 10, 2022, 4:32:57 PM3/10/22
to Excel-DNA
New to ExcelDNA, and looking for some color on the packing feature.

I'm trying to understand how this feature benefits me as it seems to add some complication to building, creates additional assemblies etc.  I'm installing with Advanced Installer, so I'm not certain that 'single' file simplicity is of particular importance to me as long as I know which files I need to include.

Some concerns, I'm trying to evaluate my options:
  1. Is the packed addin assembly more prone to Trojan false positives?  (In the short term, adding digital signature with code-signing cert on the XLL seems to have solved the problem I saw but I don't know for how long)
  2. The extra 'packed' in the name (that appears in Excel's Add-ins screens is kind of ugly, I don't know if it's safe/easy to remove this. It's bad enough I need to manage separate 32 and 64-bit assemblies.
  3. Is there a way to embed version metadata into the Addin XLL itself (the backing assembly inside does have version number in it).
Any help or color on this would be appreciated.

Thanks,
Andrew


Govert van Drimmelen

unread,
Mar 10, 2022, 5:00:50 PM3/10/22
to exce...@googlegroups.com

--------------------------------------------------

Excel-DNA is now registered on GitHub Sponsors.

Your monthly contribution will encourage further development and support.

--------------------------------------------------

 

Hi Andrew,

 

You definitely don’t have to use the packed add-in – the main motivation for it is to make distribution easier.

You can disable the packing step in the build with

    <RunExcelDnaPack>false</RunExcelDnaPack>

Either in the Properties\ExcelDna.Build.props or the project file if using the new preview and SDK-style project files.

 

  1. I don’t have much data on this. The ‘unpacked’ .xll already contains some assemblies and so was previously triggering the anti-virus false positives even when not packed. In theory you can make an .xll with no embedded assemblies and ship the two ExcelDna assemblies. But there’s no exposed path for this – you’d have to hack things or recompile Excel-DNA yourself. It sounds like signing helps with the false positives often.

 

  1. You can safely rename the packed .xll files as you like. Excel sometimes shows the file name, and at other times shows the proper name of the add-in (as you provide in the “Name” tag in the .dna file – normally looks like “MyProject Add-In”. Excel give no supported or easy way to fill in the ‘Description’ part of the add-ins dialog.

 

  1. Yes, though the feature is a bit hidden. In your .dna file for the main ExternalLibrary tag, you can add a property called UseVersionAsOutputVersion:

 

  <ExternalLibrary Path="MyLibrary.dll" ExplicitExports="false" LoadFromBytes="true" Pack="true" IncludePdb="false" UseVersionAsOutputVersion="true" />

 

                Then the AssemblyFileVersion and some other assembly properties will be copied to the packed output file. You can see the version information in Windows File Explorer if you change the extension from .xll to .dll.

 

-Govert

--
You received this message because you are subscribed to the Google Groups "Excel-DNA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/0a0768e0-ff52-4bfa-8781-c19d0c5d9f7dn%40googlegroups.com.

Andrew Gilchrist

unread,
Mar 11, 2022, 12:57:16 PM3/11/22
to Excel-DNA
Govert,

Thanks a lot for your help.  The UseVersionAsOutputVersion="true" looks promising...I'm now also seeing the DnaLibrary Name (with mixed case & spaces) as the Excel.Addin.Title and in Excel's Addins dialog (not certain whether UseVersionAsOutputVersion influenced that or if it was some other build difference).

-Andrew

Govert van Drimmelen

unread,
Mar 11, 2022, 1:14:51 PM3/11/22
to exce...@googlegroups.com

Hi Andrew,

 

There are some circumstances where Excel shows the file name and not the add-in name.

I don’t know what the pattern is, but as far as I know this is outside our (the add-in’s) control.

Reply all
Reply to author
Forward
0 new messages