Hi,
Some of our customers use McAfee’s total protection. When the user creates a new code snippet using AlterNet, we generating.EXE (with a random name) on the fly but the anti-virus automatically quarantines the files.
Do you have any experience with how to resolve this issue?
Thanks
Hi Stephane,
Thank you for reporting this problem. We were able to reproduce it with McAfee and our DebugRemoteScript demo (when debugging Visual Basic sample).
Early investigation shows that if we sign generated assembly with our certificate (pfx) file using the signtool like this:
signtool.exe sign /f “test.pfx” /p testpassword generatedassembly.exe
then signed assembly does not trigger antivirus protection.
Could you please try this at your end? Meanwhile we will look at how to incorporate strong name signing into assembly generation process.
Kind regards,
Dmitry
Hi Stephane,
We looked at it a bit further at this issue, and we were able to reproduce it even with the projects built with Visual Studio and with very minimal project that uses Roslyn directly (without Scripter). It’s somewhat expected as MSBuild uses very Roslyn internally. We also tried signing assembly with the strong key, but it did not have any effect.
Here’s sample projects that triggers McAfee protection:
https://drive.google.com/file/d/1cGXGYq2CjXSBqQcrTNQTZN3gSSSHrY9a/view?usp=sharing
We have submitted these projects to McAfee Labs, but I don’t expect them to fix the issue right-away.
So far it looks like signing executable with pfx certificate is the only reliable way to not trigger McAfee antivirus protection.
Regards,
Dmitry
Thank you. I am glad you were to reproduce the issue. The problem is McAfee flags the produce EXE before we have a chance to sign the EXE.
If I could specify a certificate file path OR a byte array of the certificate, could you somehow use the certificate and sign the EXE before the EXE is written to disk? This would be a great addition to your API.
Thanks!
Hi Stephane,
Understood, not really sure what we can do here, apart from reporting this issue to McAfee.
I wonder if generating in-memory dll instead of executable could work?
It can be created in a separate app domain in case it needs to be unloaded - we have IsolatedScript quick start project demonstrating how this can be done.
Regards,
Dmitry
In-memory won’t work for our use-case. What about my suggestion of you providing a mechanism to provide a certificate to the API?
Hi Stephane,
We’re looking at using Crypto API to sign generated executable and I will update you as we have some results.
Meanwhile, could I ask you to test at your that if you sign your executable with signtool (with McAfee real-time protection temporarily switched off), and then run the signed executable with full McAfee protection on, it actually works for you? On our tests it does help, but it’d be great if you could confirm it works for you too.
Regards,
Dmitry
Thanks for investigating this. I will perform the requested tests
The antivirus software is fine when signing the EXE. Until you can provide a first-class citizens solution, do you know how I could sign the EXE before it is written to disk? Maybe the Rosolyn object model has an event I can subscribe to?
Thanks
Hi Stephane,
We were able to use Crypto API to sign an executable programmatically, however it still requires generating file on the disk first.
We’re now trying to do the same, but using memory blob, but can’t get it to work as yet. We’ve trying to get an answer from the community:
I wonder if you could do one more test (as on our tests McAfee does not quarantines executable when it’s written to the disk, only when you try to run it):
Could you try generating file with different extension to see if this still triggers antivirus protection? Here’s a sample code how this can be done with ScriptRun - it will generate .xxx file when you call Compile:
public class SignedRoslynScriptHost : RoslynScriptHost
{
public SignedRoslynScriptHost(IScriptRun scriptRun)
: base(scriptRun)
{
}
protected override RoslynScriptProvider CreateScriptEngine()
{
RoslynScriptProvider engine = base.CreateScriptEngine();
if (engine != null)
{
engine.AssemblyPath = AssemblyPath;
engine.AssemblyFileName = System.IO.Path.ChangeExtension(AssemblyFileName, "xxx");
}
return engine;
}
}
public class SignedScriptRun : ScriptRun
{
public override IScriptHost CreateScriptHost()
{
return new SignedRoslynScriptHost(this);
}
}
}
If this succeeds, we might be able to generate temp file (with some other extension, then sign it, then rename it to .exe)?
Regards,
Dmitry
I will let you know. Just for clarification. My original issue description was wrong. As you said, the anti-virus software prevents the execution of the EXE but not the creation of it. So signing from disk could be an option also. Huge thanks for working on this.
Hi Stephane,
I’ve uploaded source code with the descendant of ScriptRun class (SignedScriptRun). It allows signing compiled executable on the disk.
https://drive.google.com/file/d/1fhTUsTEbpZT1oQeX50eECsVxfOr5vKCO/view?usp=sharing
This class can be instantiated instead of ScriptRun for the compiled executable to be signed.
The following lines will need to be modified:
public static string certificatePath = @"..\..\..\cert.pfx";
public static string certificatePassword = "certpassword";
public static string timeStampURL = "http://timestamp.comodoca.com/authenticode";
You need to provide your own certificate and password.
timeStampURL can be left empty (if it’s not, it will need internet connection to add Time Stamp signature. On my tests it works without it just fine.
Let me know if you can get it to work and if it’s resolves anti-virus conflict at your end.
Regards,
Dmitry
It is working perfectly - Thanks