Velixo Classic security considerations

Applies to

• Velixo Classic
• Acumatica, MYOB Advanced, Cegid XRP Flex

TABLE OF CONTENTS

• Applies to
• Overview
• Strong code signing
• Malware mitigation and scanning
• Per-user vs. per-machine installation
  • Per-user installation
  • Per-machine installation
• Rationale for other potential flaggable behaviors
• But my AV vendor is still flagging this as malware?
• Still concerned?

Overview

Velixo Classic is a COM-based Excel add-in that interacts with your file system, the Windows Registry (settings storage), and your cloud ERP system. As such, it might sometimes be falsely flagged as malware by your security software. If you're installing Velixo in a corporate environment, we recommend that you let your IT/Security team know about the installation so they can verify and allow-list Velixo in advance.

Please provide your IT/Security team with a link to this page: it contains everything they need to know to ensure peace of mind about Velixo's installation and runtime behaviours.

Strong code signing

Velixo Classic's MSI package, as well as the main binaries, are signed using a strong EV code certificate, managed by Microsoft Azure Key Vault. Controls can be put in place by the administrator to ensure only software signed by our EV code certificate is allowed.

Malware mitigation and scanning

Our code builds are performed using Azure DevOps Services and Microsoft-hosted build agents.  Microsoft-hosted agents run on a secure Azure platform, which provides several benefits from a security-perspective.  Although Microsoft-hosted agents run on Azure public network, they are not assigned public IP addresses.  So, external entities cannot target Microsoft-hosted agents.  

Microsoft-hosted agents are run in individual Virtual Machines (VMs), which are re-created after each run. Each agent is dedicated to a single organization, and each VM hosts only a single agent.  In addition to that, during the build process, we scan all the resulting artifacts (such as the installer packages) for malware using Microsoft Security with the latest AV definitions.

Velixo is also part of Kaspersky Labs' allowlist program, where we upload each and every version of our installers for external analysis.  This ensures that, in addition to our internal safeguards, our products are also independently scanned externally (and proactively allow-listed in AV definitions).

Per-user vs. per-machine installation

When launching the Velixo Classic installer, you can choose whether to install Velixo just for the current user (default), or for all users.

Per-user installation

When installing Velixo just for the current user, our installer .MSI does not require administrative privileges, and as such shouldn’t have any ability to update protected files/settings/registry entries. The installation path for Velixo files in this case is %APPDATA%/Velixo (roaming app data of the current user).

Per-machine installation

Per-machine installation writes to C:\Program Files instead.

❗ It also and adds a Windows registry entry to launch an ActiveSetup utility that configures it for every user on the machine on next login. This can sometimes be flagged by your security software.

If this is a concern, you can always install Velixo for each user on the machine, individually.

Rationale for other potential flaggable behaviors

• Other registry access: at the end of the installation, the Velixo installer invokes a Windows Installer custom action to configure Excel's registry keys to include our add-in into the "auto-start" list.
  • To execute this custom action, Windows Installer will first need to extract the custom action (InstallerCA.dll) and related files into the Windows Installer temp directory at %WINDIR%\Installer, and then create a thread that calls rundll32.exe. 
  • The registry keys added or updated are all part of the HKEY_CURRENT_USER\Software\Microsoft\Office node.
  • ❗ Note that this does not apply to per-machine installations, see above.
• Reading "windows.ini" file - this is read by Windows Installer (msiexec) during installation of any package, not just Velixo.
• GetKeyState() Win32 API invocation: used by Windows Installer to check whether SHIFT, ALT, or CTRL keys are pressed. Also used by Velixo add-in itself to detect "F2" key presses to perform IntelliSense substitutions in formulas.
• Network access: as part of its normal operation, Velixo Classic will be directly interacting:
  • with your ERP web service and OData endpoints (ex: contoso.acumatica.com)
  • our licensing and update server (secure.velixo.com).
  • telemetry/crash reporting servers (*.applicationinsights.azure.com and *.microsoft.com).
• Disk access: Velixo caches your ERP data in the user local application data folder (%LOCALAPPDATA%\Velixo). This enables the smart refresh functionality of Velixo, and helps us ensure your the software is functional even when your internet connection is unavailable.

But my AV vendor is still flagging this as malware?

Security software vendors will sometime accidentally flag software as a virus/trojan due to changes in their signature files, most often due to truly malicious add-ins invoking similar Windows APIs. They are usually very quick to acknowledge that it is a false-positive when we reach out to them.

On several occasions, vendors like Kaspersky, ZoneAlarm and Ikarus all confirmed in writing that our add-in was a false-positive, and that their next database update would remove this. If you experience a false positive alarm with Velixo Classic, please reach out to [email protected] and we will sort it out.

Still concerned?

Consider using Velixo NX! It is our modern, cross-platform add-in experience that supports more ERP systems than just Acumatica-based ERPs.

Velixo NX uses the modern extensibility framework for office add-ins, so there is no client software to install, and the add-in runs completely sand-boxed inside a browser engine.