AV scan detecting virus in Presentation after re-saving using Aspose

mwhalen · October 15, 2015, 11:17am

When we open and resave the attached ppt file using Aspose.Slides, the resulting presentation gets quarantined by some AV products that detect a virus.

Using the VirusTotal website (https://www.virustotal.com), we are able to test the document using 56 different AV scanners, and 4 of them are detecting viruses - three of them find “CVE-2006-3590” (Cyren, F-Prot, and NANO-Antivirus) and one is detecting “Bloodhound.Exploit.79” (Symantec). The other scanners do not detect a virus. I’ve attached a screen shot of the results from that website so you can see them yourself.

While I don’t believe there actually is a virus in the document, I’m assuming there are elements in it that look like a virus to these scanners.

I have not attached the re-saved document, as even if it doesn’t have a virus I’m not real sure about attaching something that might trigger an AV warning. If you need to see the resulting document, let me know and I’ll attach it in a password protected zip, or let me know if you have another preferred method of transferring files of this nature. Hopefully you can reproduce it yourselves by just using the attached ppt document and then opening it and resaving it using code like:

Dim Presentation = New Aspose.Slides.Presentation(SourceFile)

Presentation.Save(DestFile, Slides.Export.SaveFormat.Ppt)

Thanks for any help you can give on this. This is a serious issue for some of our clients, as their AV is preventing them from sending out documents after they’ve been processed by our tool.

Adnan.Ahmad · October 15, 2015, 4:22pm

Hi Michael,

Thank you for posting.

I have observed your comments and worked with the file shared by you. I have not been able to reproduce the issue on my end. I have attached the generated output file as well as the screenshot for your kind reference. I request you to please try using Aspose.Slides for .NET 15.8.0 on your end and then share your kind feedback with us.

Please let us know if the issue persists. We will be happy to assist you further.

Best Regards,

mwhalen · October 20, 2015, 11:57am

First of all, all of my tests were using Aspose.Slides for .NET 15.8.0 - I usually upgrade to the latest bits before posting here, as every once in a while, it fixes the issue (“usually” because I do occasionally forget ), so I’m seeing this behavior with the latest version.

Now the weirdness - I downloaded your file, checked with the AV tool, and saw no viruses, just like you. Then, just to try it out, I ran the original test on that file - I opened it using Aspose.Slides and immediately resaved it, making no other intentional changes to the file. Testing the resulting document with the AV tool resulted in the same four detections. Thinking it might be something on my development machine, I also tried the same thing with a brand new presentation created on that machine, but no viruses were detected.

I’m surprised that I was able to detect viruses after downloading your file and resaving it myself, though - if it’s something in the file itself, you’d think you’d be able to detect it yourselves, or that in the process of transferring the file to you the virus was stripped, but that can’t be because it showed back up when I ran the test myself.

I’ve attached a zip file with both the original document and the one that resulted after I did the save - the one that’s triggering the AV detections. Could you try again on those documents to see if you can recreate the issue? Also, could you make sure that the AV tool detects the viruses when you submit them, using the “After Saving With Aspose” document?

Thanks,

Michael Whalen

Adnan.Ahmad · October 20, 2015, 2:14pm

Hi Michael,

I have observed your requirements and worked with the presentation file shared by you. Surprisingly, I have been able to reproduce the issue. A ticket with ID SLIDESNET-36912 has been logged in our issue tracking system to further investigate and resolve the issue.This thread has been linked with the issue so that you may be automatically notified once the issue will be resolved.

We are sorry for your inconvenience,

Jeff_B · February 5, 2016, 11:01am

I have also run into this same behavior using Aspose.Slides 15.5.0.0. Is there any update on this request?

If I directly scan the starting local copy of the PPT with Symantec Endpoint Protection 12.1.6 build 6306 it reports nothing. My workflow requires copying the ntaive PPT to a second local disk path from which Aspose reads it. Several seconds after Aspose reads the second local copy of the PPT, Symantec reports the infection and locks the file.

Thank you,

Jeff

Adnan.Ahmad · February 8, 2016, 5:38am

Hi Jeff,

Thank you for posting.

I have observed your comments and like to request you to please make a separate post for the issues you face. Even if you found a same issue reported on the forums. However, you may refer to that look alike issue in your post. Issues may appear same but reasons can be different. Please share with us the source file and the steps to reproduce the issue, in a separate thread, so that we may proceed further to help you out. Before you share the data with us, I request you to please try using Aspose.Slides for .NET 16.1.0 on your end and see if the issue persists.

Best Regards,

mwhalen · May 4, 2016, 11:13am

Our clients are asking for an update on this issue. Has any progress been made on figuring out why the virus scanner is detecting a virus in the documents?

Thanks,

Mike Whalen

Adnan.Ahmad · May 5, 2016, 11:46am

Hi Mike,

I have observed your comments and like to share with you that the issue reported by you is pending at the moment. I have requested our product team to schedule it for investigation and resolution as soon as possible. We will notify you as soon as the issue will be fixed.

Best Regards,