SeleniumVBA
SeleniumVBA copied to clipboard
GCuser99
Trojan:Win32/Leonem
likely false positive - this has happened before and usually resolves after a few Defender protection updates. I'll submit to MS for analysis... thanks
It has been over a week since this issue was opened so I will report what I know as of today.
I had submitted the SeleniumVBA.xlam file (version 5.1) to MS for analysis a week ago and it is still scanning positive for the Trojan mentioned in the OP. The case is still open and MS has not returned an assessment as yet. Here are my observations to date:
- Scan results have consistently shown that the file has the virus Trojan:Win32/Leonem.
- The individual components of the file (classes and modules) are currently classified as "not malware", although during the week both WebShared and WebDriver have been intermittently classified as malware, albeit for only short periods of time.
- If I change the Excel file type from .xlam to .xlsm, the file passes as virus free.
- The SeleniumVBA.accdb and SeleniumVBADLLSetup.exe can be downloaded and used on my system without triggering a virus warning.
I'm still reasonably sure that this is a false positive, but whether it is or not, it is a problem. MS has announced recently that support for VBScript and the Scripting Runtime, both of which we use in our code, will be dropped at some point in the future. These are considered risky by MS because they can be used as malware attack vectors. So I expect that this nagging problem is probably only going to get worse. At some point we may need to take a deeper dive into what specific codes are causing the problem and take mitigating action.
Anyway, in the latest update (v5.2) I included a new file in the dist folder called SeleniumVBA.xlsm, which at least for me currently, does not get flagged as malware.
I will continue to monitor closely and report what I find.
Regards, Mike
Hi all! For your information, about one month ago I had the chance to put my hands on a business PC of a friend, who had a constant crash on executing (any code on?) the xlam, with his antivirus logging a virus that was found. On this PC, I was able to completely solve the problem just by removing the line that downloads the WebDriver from the public URL and, but I'm not sure about this, another line using Shell to execute the exe file. Unfortunately, I didn't have time to make further analysis or considerations.
@6DiegoDiego9, @rickpuglisi,
Can you guys try downloading the alternative SeleniumVBA.xlsm file? Does your AV program let you? My Defender is still blocking the .xlam file, but is allowing the .xlsm version to be downloaded and used on my system. Wondering if anyone else can confirm that... I'm considering doing away with the .xlam version if that seems to fix the problem.
Thanks!
Mike
Hi Mike,
I can download the file without defender complaining but file still untrusted and would require file to be unblocked in File Explorer.
I am a novice with this so please excuse me if I come across clueless but I was thinking that perhaps the problem is this line of code in the WebDriverManager.cls because it is so generic. The URL could be anything.
UrlDownloadToFile 0&, StrPtr(Url), StrPtr(tmpInstallZipPath), 0&, 0&
Would moving this line inside each case statement for browsers and hardwiring the URL so that you know the URL is safe make a difference to Defender?
Rick
From: Mike @.> Sent: Wednesday, March 20, 2024 5:37 PM To: GCuser99/SeleniumVBA @.> Cc: rickpuglisi @.>; Mention @.> Subject: Re: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
@6DiegoDiego9 https://github.com/6DiegoDiego9 , @rickpuglisi https://github.com/rickpuglisi ,
Can you guys try downloading the alternative SeleniumVBA.xlsm file? Does your AV program let you? My Defender is still blocking the .xlam file, but is allowing the .xlsm version to be downloaded and used on my system. Wondering if anyone else can confirm that... I'm considering doing away with the .xlam version if that seems to fix the problem.
Thanks!
Mike
— Reply to this email directly, view it on GitHub https://github.com/GCuser99/SeleniumVBA/issues/101#issuecomment-2010682894 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ARJKYJQPAN7VFZ6MF6VMC33YZH6PJAVCNFSM6AAAAABELGPPNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJQGY4DEOBZGQ . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ARJKYJTX7CEDF2BOMNIWO5TYZH6PJA5CNFSM6AAAAABELGPPNWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTX3CLA4.gif Message ID: @.*** @.***> >
Hi Mike,
Did a little more investigation of the code to see how I could make your code into malware.
If the https://api.github.com/repos/SeleniumHQ/selenium/releases website which is external to your code was modified and had an entry like
"browser_download_url": https://MYMALWAREADDRESS/IEDriverServer_Win32
your code could find it for the IE browser and download it. So I think this part of the code needs to be more secure. While other URLs may have a reputation for safety, github repos does not for me. Perhaps, telling the user the url in a msgbox what to download and where to put it would be safer. Not as convenient but much safer.
Rick
From: Rick Puglisi @.> Sent: Friday, March 22, 2024 11:35 AM To: 'GCuser99/SeleniumVBA' @.> Subject: RE: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
Hi Mike,
I can download the file without defender complaining but file still untrusted and would require file to be unblocked in File Explorer.
I am a novice with this so please excuse me if I come across clueless but I was thinking that perhaps the problem is this line of code in the WebDriverManager.cls because it is so generic. The URL could be anything.
UrlDownloadToFile 0&, StrPtr(Url), StrPtr(tmpInstallZipPath), 0&, 0&
Would moving this line inside each case statement for browsers and hardwiring the URL so that you know the URL is safe make a difference to Defender?
Rick
From: Mike @.*** @.> > Sent: Wednesday, March 20, 2024 5:37 PM To: GCuser99/SeleniumVBA @. @.> > Cc: rickpuglisi @. @.> >; Mention @. @.***> > Subject: Re: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
@6DiegoDiego9 https://github.com/6DiegoDiego9 , @rickpuglisi https://github.com/rickpuglisi ,
Can you guys try downloading the alternative SeleniumVBA.xlsm file? Does your AV program let you? My Defender is still blocking the .xlam file, but is allowing the .xlsm version to be downloaded and used on my system. Wondering if anyone else can confirm that... I'm considering doing away with the .xlam version if that seems to fix the problem.
Thanks!
Mike
— Reply to this email directly, view it on GitHub https://github.com/GCuser99/SeleniumVBA/issues/101#issuecomment-2010682894 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ARJKYJQPAN7VFZ6MF6VMC33YZH6PJAVCNFSM6AAAAABELGPPNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJQGY4DEOBZGQ . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ARJKYJTX7CEDF2BOMNIWO5TYZH6PJA5CNFSM6AAAAABELGPPNWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTX3CLA4.gif Message ID: @.*** @.***> >
Sorry last comment.
Firefox has
Url = https://github.com/mozilla/geckodriver/releases/download/v & driverVersion & "/geckodriver-v" & driverVersion & "-" & platformString & ".zip"
At least you know it is going to https://github.com/mozilla/geckodriver so maybe this is good enough and you can satisfy Defender with something similar for IE like
Url = https://github.com/SeleniumHQ/selenium/releases/download/ & …
instead of using the api with https:[^,]*?IEDriverServer_Win32_"
Rick D. Puglisi
150 Nassau St. #10B
New York, NY 10038
Tel/Fax: (212) 513-1872
Cel: (646) 942-8369
@.> @.
From: Rick Puglisi @.> Sent: Friday, March 22, 2024 1:58 PM To: 'GCuser99/SeleniumVBA' @.> Subject: RE: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
Hi Mike,
Did a little more investigation of the code to see how I could make your code into malware.
If the https://api.github.com/repos/SeleniumHQ/selenium/releases website which is external to your code was modified and had an entry like
"browser_download_url": https://MYMALWAREADDRESS/IEDriverServer_Win32
your code could find it for the IE browser and download it. So I think this part of the code needs to be more secure. While other URLs may have a reputation for safety, github repos does not for me. Perhaps, telling the user the url in a msgbox what to download and where to put it would be safer. Not as convenient but much safer.
Rick
From: Rick Puglisi @.*** @.> > Sent: Friday, March 22, 2024 11:35 AM To: 'GCuser99/SeleniumVBA' @. @.***> > Subject: RE: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
Hi Mike,
I can download the file without defender complaining but file still untrusted and would require file to be unblocked in File Explorer.
I am a novice with this so please excuse me if I come across clueless but I was thinking that perhaps the problem is this line of code in the WebDriverManager.cls because it is so generic. The URL could be anything.
UrlDownloadToFile 0&, StrPtr(Url), StrPtr(tmpInstallZipPath), 0&, 0&
Would moving this line inside each case statement for browsers and hardwiring the URL so that you know the URL is safe make a difference to Defender?
Rick
From: Mike @.*** @.> > Sent: Wednesday, March 20, 2024 5:37 PM To: GCuser99/SeleniumVBA @. @.> > Cc: rickpuglisi @. @.> >; Mention @. @.***> > Subject: Re: [GCuser99/SeleniumVBA] Trojan:Win32/Leonem (Issue #101)
@6DiegoDiego9 https://github.com/6DiegoDiego9 , @rickpuglisi https://github.com/rickpuglisi ,
Can you guys try downloading the alternative SeleniumVBA.xlsm file? Does your AV program let you? My Defender is still blocking the .xlam file, but is allowing the .xlsm version to be downloaded and used on my system. Wondering if anyone else can confirm that... I'm considering doing away with the .xlam version if that seems to fix the problem.
Thanks!
Mike
— Reply to this email directly, view it on GitHub https://github.com/GCuser99/SeleniumVBA/issues/101#issuecomment-2010682894 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ARJKYJQPAN7VFZ6MF6VMC33YZH6PJAVCNFSM6AAAAABELGPPNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJQGY4DEOBZGQ . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ARJKYJTX7CEDF2BOMNIWO5TYZH6PJA5CNFSM6AAAAABELGPPNWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTX3CLA4.gif Message ID: @.*** @.***> >
@rickpuglisi, @6DiegoDiego9,
I'll take a close look at the details for suggestions on where to look for the problem...
@rickpuglisi, thanks for testing the SeleniumVBA.xlsm download. FYI yes, you will probably always need to check the "unblocked" attribute in file properties when opening a downloaded Excel file (at least that has been the case for me).
Thanks again,
Mike
Hi all! For your information, about one month ago I had the chance to put my hands on a business PC of a friend, who had a constant crash on executing (any code on?) the xlam, with his antivirus logging a virus that was found. On this PC, I was able to completely solve the problem just by removing the line that downloads the WebDriver from the public URL and, but I'm not sure about this, another line using Shell to execute the exe file. Unfortunately, I didn't have time to make further analysis or considerations.
Today I had the chance to get back the xlsm file tested by my friend whose antivirus was blocking its execution with the xlam. I am happy to report that he wrote me: "It works! My Sophos antivirus did not block it."
I'm closing this one for now. I tried many of the things suggested above but was not successful during the false-positive period, which seems to have lapsed. As of today, no false positives so we are good to go...