Win32:Trojan X-Gen alert when using Aspose.PDF.Facades

nir-1 · January 23, 2022, 10:58am

Hello,

We have started getting reports from customers running Avast anti virus (and also AVG antivirus):
Avast_AntiVirus_1.png (34.4 KB)
Avast_AntiVirus_2.png (32.1 KB)

The report is about some temporary DLL file probably created by your code.
Here is the exception details I get in my program:
Exception_details.jpg (255.5 KB)
(Forgive the Hebrew text… this is my client’s computer language).
I can not make anything out of this exception since all your code is obfuscated.

What might be the cause of this? Does it make any sense Aspose.PDF creates some kind of temporary DLL file?

asad.ali · January 23, 2022, 7:50pm

@nir-1

Can you please share a bit more details like when you are observing this issue? Which code snippet are you using? Please share some sample file as well along with the code snippet so that we can further test and investigate the issue.

nir-1 · January 24, 2022, 6:49am

The exception is thrown on the first line of code, when creating the formatted text.

        // Prepare the page num text stamp
        Aspose.Pdf.Facades.FormattedText pageNumText = new Aspose.Pdf.Facades.FormattedText(
            "- # -",
            Color.Black,
            Color.FromArgb(230, 230, 230),
            Aspose.Pdf.Facades.FontStyle.TimesBold,
            Aspose.Pdf.Facades.EncodingType.Winansi,
            true,
            14);

        Aspose.Pdf.PageNumberStamp pageNumStamp = new Aspose.Pdf.PageNumberStamp(pageNumText)
        {
            Background = false,
            Draw = false,
            HorizontalAlignment = Aspose.Pdf.HorizontalAlignment.Center,
            VerticalAlignment = Aspose.Pdf.VerticalAlignment.Bottom,
            BottomMargin = 10
        };

I can not reproduce this on my development machine, but I have several customers now that have this problem.
As mentioned before, it has something to do with a DLL file created in the temp directory and the Anti Virus file blocking it.

OR It might not be related at all, but since your call stack is obfuscated, I can not tell you any more details.

nir-1 · January 24, 2022, 10:56am

Does it make any sense to you that calling the code I’ve posted above creates some kind of a DLL file inside the temporary directory?

asad.ali · January 24, 2022, 4:47pm

@nir-1

No, it does not seem like this code can cause any issues. Furthermore, we were also unable to notice this issue. Can you please share the Stack Trace and Exception message in text format so that we can translate it. We will log an investigation ticket to analyze this particular case and share the ID with you.

nir-1 · January 25, 2022, 9:05am

I have succeeded in reproducing this behaviour in a virtual machine.
It seems the blocked DLL file is related to Adobe Acrobat Font system. And is blocked for some reason when using AVAST antivirus. Other antivirus software does not see this file as a threat.
Here is the file: zx_f2fdd4bd94784689e6ab695385a1fa70.zip (5.4 KB)

The exception call stack is:

System.IO.FileNotFoundException: Could not load file or assembly 'zx_6ca87a8ac96e4ffdcc25a42fa6ca134b, PublicKeyToken=716fcc553a201e56' or one of its dependencies. The system cannot find the file specified.
File name: 'zx_6ca87a8ac96e4ffdcc25a42fa6ca134b, PublicKeyToken=716fcc553a201e56'
   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)
   at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
   at System.Reflection.Assembly.Load(String assemblyString)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zKVHggZ1_5wkVQGf6m2tgBx$o_wcv.#=zUNE$Ro47Q7CXlKLmW7Cyx6Xrchde(String #=zCH93qV0IbFsyO73aue$Hv98=)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zKVHggZ1_5wkVQGf6m2tgBx$o_wcv.#=zXO7mcXddLJEhAVcnRwZdHHhM7bf_()
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=z703v_w8WpnRP_WU5siYeTzrrhVML(String #=zDpg7s1Y=)
   at #=qYtOao58PprCZLK3CqV_HPkzB77LLDY$RBz5GfPsmAl0=.#=zdAJFXH3_ZOV1syhCPMjJoEPkL$gt(Object #=zHCPYdokyZUZAtRl6VB_kJv4IgGRI, ResolveEventArgs #=zlG_N4VKOdi0mw7pt2GiAQiEsieWM)
   at System.AppDomain.OnResourceResolveEvent(RuntimeAssembly assembly, String resourceName)
   at System.Reflection.RuntimeAssembly.GetResource(RuntimeAssembly assembly, String resourceName, UInt64& length, StackCrawlMarkHandle stackMark, Boolean skipSecurityCheck)
   at System.Reflection.RuntimeAssembly.GetManifestResourceStream(String name, StackCrawlMark& stackMark, Boolean skipSecurityCheck)
   at System.Reflection.RuntimeAssembly.GetManifestResourceStream(String name)
   at #=zskhzHJbE178UXJdB_7BdIXVOH1TF.#=zM5b4svxSehU3(String #=zP_SR9xs=, String #=zEWee1c0=, Assembly #=z4NVTHgs=)
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zR0g4ARSaE61W(String #=zDE4fUF8=)
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zpnQ_y9xzRmt$()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zWjSRquod8wKu()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zH6LpWMT3K3qP()
   at #=zs71scsxPtkQdVQAvuAmfiYz23pzzxmFAjLsGhyM=.#=zkl22QJg=()
   at Aspose.Pdf.Text.FontRepository.FindFont(String fontName)
   at Aspose.Pdf.TextStamp.#=zhIKFc2EIcL0H()
   at Aspose.Pdf.Facades.FormattedText.#=z$hXHGiaBqL8Q()
   at Aspose.Pdf.Facades.FormattedText..ctor(String text, Color textColor, Color backColor, FontStyle textFont, EncodingType encoding, Boolean embedded, Single textSize)
   at Odcanit.Platinum.Core.Documents.Builder.PdfDocument.BuildTocAndStampAllPages(TempFileStream sourcePdf) in C:\Users\Nir\Documents\Projects\Odcanit.Platinum.Core\Odcanit.Platinum.Core.Documents\Builder\PDFDocument.cs:line 539
   at Odcanit.Platinum.Core.Documents.Builder.PdfDocument.SavePdf(String outputFilename) in C:\Users\Nir\Documents\Projects\Odcanit.Platinum.Core\Odcanit.Platinum.Core.Documents\Builder\PDFDocument.cs:line 234

nir-1 · January 25, 2022, 9:25am

After further investigating the DLL file (attached in my previous post) I saw there is a resource in that DLL:

Aspose.Pdf.src.CommonData.Text.Fonts.StandartFonts.Courier.afm

It seems this DLL is related to Aspose.

nir-1 · January 25, 2022, 12:45pm

Sending the DLL file to https://virusscan.jotti.org results in:
image.png (118.0 KB)

asad.ali · January 25, 2022, 5:30pm

@nir-1

Thanks for sharing these details.

We have opened an investigation under the ticket ID PDFNET-51256 in our issue tracking system. We will definitely analyze it and let you know as soon as it is resolved. Please be patient and spare us some time.

We are sorry for the inconvenience.

nir-1 · January 26, 2022, 11:19am

We have more and more customers that reports this issue.
My guess it has something to do with Avast/AVG antivirus updating their virus signature files, and now the DLL that Aspose.PDF creates (for some strange reason) is detected as a trojan!

You must solve this issue in high priority!

asad.ali · January 26, 2022, 6:01pm

@nir-1

Your concerns have been recorded and we will surely inform you as soon as we analyze and fix this issue. Please spare us some time.

We apologize for your inconvenience.

asad.ali · January 27, 2022, 7:00pm

@nir-1

We are investigating the issue. The API should not create any DLLs in a temporary directory, we don’t have any code which could do this. We could suspect that DLLs in our MSI are infected but we are trying to reproduce the issue with your code with the latest published release and still, no new DLL in the temp directory was created.

Could you please share the configuration and environment details of the VM in which you have reproduced the issue? Also, please confirm if you tested using the latest version of the API.

nir-1 · January 27, 2022, 8:17pm

Try to install AVG or Avast anti virus. It has a free version and can be installed without any payment.

After that try to run the code and see what happens. I could reproduce the issue like this.

asad.ali · January 27, 2022, 10:19pm

@nir-1

We did try to test after installing Avast/AVG antiviruses but could not replicate the behavior. We will continue to do so and let you know in case we need more information.

nir-1 · January 28, 2022, 5:15am

What could you tell from the call stack?

pavex · January 28, 2022, 2:16pm

Hi,

we have exactly the same problem reported by customers. Since this is a false positive detection, we have reported the problem to Avast. Avast has promised a solution until the next update in about 24 hours.

Regards,
Pavel

nir-1 · January 28, 2022, 2:52pm

The question is why is this DLL created in the temp folder in the first place?
Aspose claim they do not create any DLL…

asad.ali · January 28, 2022, 5:43pm

@nir-1

As far as the Stack Trace is concerned, we reviewed it and the encrypted part of it is from the obfuscator. We can only say that the code is related to the font loading but the strange thing is that we do not produce/create any DLLs. We are still trying to reproduce the issue and will inform you once we have some feedback to share.

asad.ali · November 19, 2024, 10:20pm

@pavex

The problem is caused by the fact that the obfuscated assembly loads dependent assemblies from its own resources. This action causes an antivirus reaction, which is understandable, but we cannot fix this problem sadly because this is a feature of obfuscation.