About the Authors


  • Antonio Barroca

    David Lau

    Giancarlo Molo

    Hashim Mundol

    Aaron Hai

    Avto Chachava

    Yannick Karawa

Translate

« Matchmover 2013 SP1 on Mac error: Tried Maya 2013 (657E1 2013.0.0.P), error 25 | Main | Where is AutoCAD P&ID in the AutoCAD Plant Design Suite? »

08/23/2012

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Mark McDonough

I find the contents of this Service Pack to be somewhat curious, in that it finally addresses (to limited effectiveness in my opinion) a long standing security risk; adding measures to mitigate the "CAD Virus" threat. I wonder "why now" after it's been well known and documented by Autodesk tech docs for AutoCAD products since 2008, 6 years, 6 releases (although, it was still a real risk in earlier versions as well, the large company I worked for was hit big time with the CAD Virus exploit in AutoCAD version 2004, this threat has been real for over a decade).

I don't characterize the autloading process of customization files as "legacy", it still works exactly that way. For years, knowing about the automatic loading of certain "reserved name" customization files (some are optional, some are definitively part of AutoCAD itself), I knew the day would arrive when someone would create a virus based on this automatic loading of program support files, and sure enough that day came. It is very similar to the exploit of reserve-named files in Microsoft Office products like WORD, hence the macro viruses.

Thinking back on the measures required to control the virus once it hit, I question the rationale of adding a shortcut command-line /nolisp switch; not such a viable tool when dealing with over 200 AutoCAD installations; it would be nearly impossible to implement. Your post doesn't mention that use of that switch "should only be used in mergency situation" because enabling the switch would also prevent Express Tools and some AutoCAD commands from functioning. So I wonder why did Autodesk choose this avenue of enabling a feature or control. Even if the /nolisp switch were added, it would need to be added for the multiple icons in the case of AutoCAD verticals such as AutoCAD Architecture, as well as the program group copy of the icons; all of which is bypassed by anyone double-clicking on a DWG file.

The AUTOLOAD and AUTOLOADPATH system variable do make sense, and could go a long way towards mitigating the risk of a CAD virus, where one can redirect the load location for acad.lsp/fas/vlx and acaddoc.lsp/fas/vlx. It should be considered that the CAD virus variants came be delivered as files other than acad.lsp & acaddoc.lsp plus its fas/vlx varieties.

I can't comment further on the effectiveness of these new controls, as AutoCAD 2013 Service Pack 1 has been temporarily removed due to a "newly discovered fatal error". I can say however, after dealing with the CAD virus in a number of generations and iterations, the virus delivery files and the extent of infected files, is much more extensive than what is generally reported or what has been documented in Autodesk support documents.

The best defense against the CAD virus is to implement lisp code in a startup lisp file that autodeletes known virus delivery file types (see Autodesk tech support doc), add those virus dilvery file names and/or types to one's enterprise antivirus scanning, and now once the 2013 SP1 gets re-issued, use the two new system variables to add a known secure network location to point to any acad.lsp & acaddoc.lsp files, if such files need to exist. Understanding the AutoCAD "load order" of support files is also useful in one's defense against the CAD virus.

Because the CAD virus is so disruptive, is more common than typically acknowledged, and infection can happen in many other ways than the sample given, I have gathered up some pertinent links:

How to detect and remove the Acad.vlx virus
http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13717811&linkID=9240617

Autodesk page on AutoCAD and viruses:
http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=12903754&linkID=9240617

JTB World on Acad.vlx Virus Cleanup improved
http://blog.jtbworld.com/2009/08/acadvlx-virus-cleanup-improved.html
http://blog.jtbworld.com/2009/04/autocad-and-dwg-viruses-made-in-vba-or.html

Autodesk forum post, extensive list of auto-loaded files and their load sequence when AutoCAD launches:
http://forums.autodesk.com/t5/AutoCAD-2008/Virus-using-acad-fas/td-p/2220982

List of AutoCAD 2004 system files that get infected by the acad virus:
http://forums.autodesk.com/autodesk/attachments/autodesk/247/49511/2/Support_files_attached_by_CAD_virus_R2004.jpg

List of AutoCAD 2008 system files that get infected by the acad virus:
http://forums.autodesk.com/autodesk/attachments/autodesk/247/49511/1/Support_files_attached_by_CAD_virus_R2008.jpg

My entry on our experience with the ACAD Virus in 2009:
http://forums.autodesk.com/t5/AutoCAD-2008/A-STRANGE-PROBLEM-acad-vlx/td-p/2507420

The comments to this entry are closed.


Virtual Agent

RSS Feed