Custom packages - virus and malicous code risk?


Thanks for sharing this, I would have one more question, if you let me: can we safely exchange files here (such as .dyn or .rvt)? (This could have been already discussed somewhere but I am not aware of it…)


thanks Jacob, that’s really helpful

our office dyno group is having it’s second meeting on Tuesday, so hopefully with all the excellent replies on here we can put this issue to bed.


Interesting topic. There are so many ways to compromise a system and yes Dynamo packages could be one way I guess. However, other more common ways are through email attachments, infected USB drives, drop box or sloppy web protection, something that management are at risk of doing quite a bit I’d say. If your company was that concerned you could get your own Revit API guy and generate the content yourselves, or if the nodes are in python, peek under the hood and have a look at what’s in there - this way you can learn how it works and start learning to develop your own content.

At my company, we test and peek in all packages before they are rolled out on our server globally so we have vetted the quality and some packages are whitelisted as I know they come from a reputable source and always good quality e.g clockwork, arch-lab, data-shapes to name just a few.

I agree with most of the comments above, although it did get rather heated. But, you always run the risk of infection as long as your computer has an internet connection and USB ports. As @JacobSmall said, the functionailty Dynamo gives you is well worth the risk and in most cases you can view the code yourself, not something that can be done with Revit Add-ins (or any other 3rd party add-in for any software) which you could argue is riskier.

Anyway, good luck with your business case and don’t forget to download the IStealAllYourData package, it’s slower than but by guegle so far more secure of course. :stuck_out_tongue_winking_eye:


As far as I know this site is as safe here as any other reputable file transfer method. I have faith that Autodesk wouldn’t let anyone splicing anything bad into the stuff we download and other users would have to hack into the system to get that level of access. So no real worries on that end. That said, if someone uploaded an infected file to the site and you downloaded it then you’re vulnerable - which is exactly the same with any other file transfer.

Now let’s all go start out our week worrying about all those infected bits of code in dyf files that we’ve passed around like pink eye through a kindergarten!

Seriously though I can’t stress this enough - it would be difficult and not worth the effort to attach malicious code to something on these forums. Not a wide enough distribution network. So don’t worry about it on that front.

A virus (meaning self replicating malicious code) can attach itself to a dwg, rvt, dyf, jpg or any other file type though. That’s why they are called viruses: they spread. But this is why we protect ourselves. Everyone here has heard about the need for antivirus and why when they bought their last personal computer, tablet or phone. Just because you’re working in a corporate environment doesn’t change that need. But the sad reality about antivirus is that it works like real medicine in that the ‘vaccine’ for a virus can’t be put in place until we know what that virus is (imagine the next Polio, now go cure that before it exists).

This is why every office should have digital security measures in place (firewalls, antivirus, limited permissions, frequent data backups on separate media, etc). The severity and restrictions of these measures should be tailored to the work of your office (the neuclear plant should have more restrictions than a sole proprietor doing single family homes).

Ask your IT department, consultant, or the ‘computer guy’ in your office for specifics about your office’s system. They won’t have to go into too much technical detail for you to get the just of it. You will likely be surprised by what actually happens in the background while we do our documentation and design work. So much of what they do goes completely unnoticed until something breaks at which point they usually serve as the ‘fall guy’ for stuff that is out of their control.

There should really be a national ‘IT support’ day… someone call Hallmark I’m sure they would love a reason to sell more greeting cards.


Nice way to manage :slight_smile:

Ok found the DynamoSettings.XML file here:
C:\Users\ UserName\AppData\Roaming\Dynamo\Dynamo Core\1.2

I can see the listings as the same from Settings>Manage nodes & Package Paths from within Dynamo
But what should be changed to make all future packages reside in the network drive?
Also, how to make installation of Dynamo on a new machine read this file?



Guys for the corporate people I am happy to run malicious code checks validations on my source code in my packages and issue a certificate at $500 a company as well as digitally signed dll’s. This will guarantee my packages are safe to use and free from virus’s. Contact me for details. I could probably speak for a number of other people as well who would be happy to offer that level of guarantee for financial compensation.


There was a virus that would upload all CAD files to a remote destination, Mexico I think. Revit models have a lot of value, especially military ones… Interestingly, it was written in LISP! (Dynamo’s feeble grampa?)

I think it’s far fetched to go through Dynamo, but to say that Revit models have no value and that no on would want it is not wise. Many people could die if Revit models would go into the wrong hands. Think Pentagon or security or bank buildings.


Hi Andreas,

We would like to adopt the same method but worry some .dll files won’t update if they’re being used while a package is updated/replaced? How would you ensure this doesn’t cause an issue?

Many thanks


Tell people to shut down their machines or at least Dynamo when they leave the office. Then update packages at night. Works 95% of the time. :slight_smile: