« How to fix a dead half-string of LED Christmas lights | Main | Archive: 'State of the PLM Economy' webinar »

Dec 17, 2018


Steve Johnson

I disagree. The problem is extremely simple to solve on the software side, and has in fact been solved since AutoCAD 2016 with the LEGACYCODESEARCH system variable (one of the things available in SecurityOptions). It's rare that there would be any need to have any code (e.g. acad.fas) automatically loaded just because it's in the Start In or drawing folders, and this system variable lets you turn that feature off. I know of one person who uses this facility to do project-specific startup stuff, but it's rare and there are alternative mechanisms available.

Upshot: set LEGACYCODESEARCH=0 and the problem goes away. As a CAD Manager, set the equivalent when creating your installation deployment and you can also specify that the user can't override it.

I suggested such a simple solution to Autodesk, many years before it was implemented. It was very frustrating to see that when some attention was finally paid to this issue, a lot of effort initially went into far more complex, troublesome, and less than fully effective security measures instead. A proper solution arrived eventually, but millions of users were exposed to unnecessary risk for years on end.

Fortunately in BricsCAD, acad.fas just gets ignored so these viruses will do nothing. It would be possible to write a BricsCAD equivalent but nobody has - yet - so for now we can get by without LEGACYCODESEARCH.

Ralph Grabowski

D.R. replies:

I think the main idea behind this kind of attack is the use of AutoCAD PROJECTS. You don't send a DWG (which cannot be infected this way), but you send a complete project (by USB, CD or mail).

The project consists of multiple DWGs (xrefs), maybe some support files (shapes/fonts) and a hidden acad.lsp/fas. As AutoCAD automatically runs an acad.lsp from within the project folder (which I think it does), using the project infects the system.

Steve Johnson

That's the point of what I wrote in my comment: you can (and should!) turn off that auto-loading in 2016 and later. It's off by default, which is as it should be. Please see the docs on LEGACYCODESEARCH.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)


Search This Blog



Thank you for visiting!