Matchmover 2013 SP1 on Mac error: Tried Maya 2013 (657E1 2013.0.0.P), error 25
Where is AutoCAD P&ID in the AutoCAD Plant Design Suite?

New Security Controls in AutoCAD 2013 SP1 Help Combat Malware

Over the last few years there has been an increasing number of malware attacks on AutoCAD. These attacks typically leverage the legacy autoloading process of the stock customization files (acad.lsp, acad.dvb, etc.) that come with AutoCAD. Modified versions of these files end up getting automatically loaded into AutoCAD and can cause data loss, corruption, and general annoyance. Here is a typical scenario…

A customer receives a ZIP file containing a variety of files including drawings, fonts, and a modified version of a stock customization file such as acad.lsp. The customer unzips that archive to a folder and double-clicks on one of the drawings to launch it. Launching the drawing this way makes that folder the current working directory–check DWGPREFIX to see for yourself–and because the current folder contains anacad.lsp file, it gets loaded automatically and begins doing whatever malicious tasks it was modified to do. To make matters worse, that file might be flagged as hidden so the customer may not even know that it's in the zip file.

Service Pack 1 for AutoCAD 2013 introduces new controls that enable you to do the following:

  • Restrict autoloading of default customization to a specified location ONLY.
  • Disable autoloading of default customization files.
  • Disable the ability to load any AutoLISP file, automatically or manually.

Note: These same controls will also be added to AutoCAD 2013 for Mac and AutoCAD 2013-based verticals when their respective service packs are released. AutoCAD LT does not run AutoLISP or VBA applications and does not require these security measures.

For a more detailed explanation of these new controls and recommended setup and repair workflow, refer to AutoLISP and VBA Security Controls in AutoCAD 2013 SP1.



Feed You can follow this conversation by subscribing to the comment feed for this post.

Mark McDonough

I find the contents of this Service Pack to be somewhat curious, in that it finally addresses (to limited effectiveness in my opinion) a long standing security risk; adding measures to mitigate the "CAD Virus" threat. I wonder "why now" after it's been well known and documented by Autodesk tech docs for AutoCAD products since 2008, 6 years, 6 releases (although, it was still a real risk in earlier versions as well, the large company I worked for was hit big time with the CAD Virus exploit in AutoCAD version 2004, this threat has been real for over a decade).

I don't characterize the autloading process of customization files as "legacy", it still works exactly that way. For years, knowing about the automatic loading of certain "reserved name" customization files (some are optional, some are definitively part of AutoCAD itself), I knew the day would arrive when someone would create a virus based on this automatic loading of program support files, and sure enough that day came. It is very similar to the exploit of reserve-named files in Microsoft Office products like WORD, hence the macro viruses.

Thinking back on the measures required to control the virus once it hit, I question the rationale of adding a shortcut command-line /nolisp switch; not such a viable tool when dealing with over 200 AutoCAD installations; it would be nearly impossible to implement. Your post doesn't mention that use of that switch "should only be used in mergency situation" because enabling the switch would also prevent Express Tools and some AutoCAD commands from functioning. So I wonder why did Autodesk choose this avenue of enabling a feature or control. Even if the /nolisp switch were added, it would need to be added for the multiple icons in the case of AutoCAD verticals such as AutoCAD Architecture, as well as the program group copy of the icons; all of which is bypassed by anyone double-clicking on a DWG file.

The AUTOLOAD and AUTOLOADPATH system variable do make sense, and could go a long way towards mitigating the risk of a CAD virus, where one can redirect the load location for acad.lsp/fas/vlx and acaddoc.lsp/fas/vlx. It should be considered that the CAD virus variants came be delivered as files other than acad.lsp & acaddoc.lsp plus its fas/vlx varieties.

I can't comment further on the effectiveness of these new controls, as AutoCAD 2013 Service Pack 1 has been temporarily removed due to a "newly discovered fatal error". I can say however, after dealing with the CAD virus in a number of generations and iterations, the virus delivery files and the extent of infected files, is much more extensive than what is generally reported or what has been documented in Autodesk support documents.

The best defense against the CAD virus is to implement lisp code in a startup lisp file that autodeletes known virus delivery file types (see Autodesk tech support doc), add those virus dilvery file names and/or types to one's enterprise antivirus scanning, and now once the 2013 SP1 gets re-issued, use the two new system variables to add a known secure network location to point to any acad.lsp & acaddoc.lsp files, if such files need to exist. Understanding the AutoCAD "load order" of support files is also useful in one's defense against the CAD virus.

Because the CAD virus is so disruptive, is more common than typically acknowledged, and infection can happen in many other ways than the sample given, I have gathered up some pertinent links:

How to detect and remove the Acad.vlx virus

Autodesk page on AutoCAD and viruses:

JTB World on Acad.vlx Virus Cleanup improved

Autodesk forum post, extensive list of auto-loaded files and their load sequence when AutoCAD launches:

List of AutoCAD 2004 system files that get infected by the acad virus:

List of AutoCAD 2008 system files that get infected by the acad virus:

My entry on our experience with the ACAD Virus in 2009:

The comments to this entry are closed.