Malware for CAD programs is rare, but it does exist and is something to take into account.
It is known that several virus infections have been transferred via AutoCAD in the past. BricsCAD is no less susceptible. Apparently Autodesk thought it necessary to introduce “trustedpaths” and the “app plug-in model”. This is often characterized as overkill. At the same time, the concept of “trustedpaths” is somewhat defensible but also very easy to circumvent lip service. Inquiries show that Bricsys deliberately did not participate in these developments.
As a client, it is just as important as a solution developer to have a good picture of the security policy of Autodesk and Bricsys. At Bricsys, the policy is: “You ask, we create” – if there are sufficient requests.
So users have a big responsibility: “Do not download and use drawings and code from third parties”.
At the same time, system management should be layered, with user groups having more rights than users themselves. After all, the wisdom of the group is greater. An optimal balance must be found between working efficiently and a sufficient degree of security.
Someone who works within the organization and has bad intentions is always hard to stop – just like someone who has a box of matches in one pocket and a sledgehammer in the other. That falls outside the scope of this document, but it is a real risk.
VBA is one of the virus vectors. And since VBA can even be embedded in DWG documents itself, there is a potential danger.
AutoCAD warns against macros in drawings and in BricsCAD VBA is disabled by default.
This also fits in with the vision that VBA is increasingly becoming a dead language. ACME does not support VBA.
However, Lisp can also be a vector. It can not be embedded in drawings. The language is interpreted. This means that the code can be checked for malware.
Lisp can be compiled, which results in speed gains but also in no longer be able to check code. Files can be recognized by extensions: .vlx and .fas for AutoCAD and .des for BricsCAD.
Compiled Lisp files from third parties require the necessary attention. If there are any doubts about the reliability of the supplier, then the advice is: Ask for access or decompile the files.
See also http://wiki.nedcad.nl/Compiling_LISP for details.
In general, it is a good idea to put code in the protected environment, i.e. %programfiles%, or a semi protected group location. The %appdata% environment is considered to be not save. Unfortunately, trustedpath and acadprefix or srchpath are easily circumvented, giving a false feeling of safety. In the end it boils down to behaviour of users and locking and monitoring potentially unwanted actions.