Windows Defender finds Win32/Wacepew.C!ml trojan horse in packed XLL

[Jiri Pik]

For months, Windows Security has been removing the packed XLL from our build machine since it discovered there some alleged trojan horse - see below the screenshot. 

The .dna definition is below. What is the best course of action ? 

<DnaLibrary Name="XXX.ExcelAddin.UDFs Add-In" RuntimeVersion="v4.0">
  <ExternalLibrary Path="XXX.ExcelAddin.UDFs.dll" LoadFromBytes="true" Pack="true" />
</DnaLibrary>

[Jiri Pik]

I have escalated to MS to stop flagging it as having a trojan horse. Let's see. 

[Govert van Drimmelen]

Hi Jiri,

This has been a problem for a while, since there were some malicious add-ins created with Excel-DNA.

It seems to be better with the current pre-release versions - 1.7.0-rc9 is the latest.

We tried some changes in the packing around version 1.5.1 that were particularly prone to being detected as problematic.

But with the current pre-release versions it does seem to depend a bit on what other code is in your add-in.

What version of Excel-DNA are you using?

Reporting the false positives to the anti-virus vendor is certainly the right plan, so they continue to improve their heuristics.

-Govert

[Jiri Pik]

We are using 1.6.0. The problem with Windows Security is that sometimes it detects it as a trojan and sometimes not. I believe that it is somehow associated with the speed of generation the xll files and CPU utilization of the build machine - the more CPU usage, the more likely it is to be labelled as a trojan horse.

Anyway, the latest version of Windows Security finds no problems and for now, all is good. 

Thanks, Govert, for all your help and the excellent library.

All my best from the sunny Singapore,