"You should only open projects from a trustworthy source"

Every time I see this Visual Studio security warning, I chuckle at the motherhood statement -  "You should only open projects from a trustworthy source" and feel helpless. This feels the same as saying - "You should shake hands only with someone who has already washed his hands or else he MAY be carrying germs".

I wish Visual Studio could detect automatically if a project contains malicious code.


The project file XYZ may have come from a location that is not fully trusted. It could present a security risk by executing custom build steps when opened in Microsoft Visual Studio that could cause damage to your computer or compromise your private information.

Would you like to open this project?

It tells you to be cautious but provides no other help.What am I supposed to look out for? Can't Visual Studio spot & remove the security risk?

This answer on the Information Security StackExchange forum has a better explanation -
This has to do with the project itself and the automation in Visual Studio. It could potentially do quite a lot since Visual Studio can do some pretty low level stuff. The way to mitigate it is to either check the project and solution files manually for build steps and such prior to opening (it's all human readable XML if you have much familiarity with Visual Studio and they aren't generally too too long) or to simply add the source to a newly created project and solution.

...but it is finally up to the developer to figure out the "risk"

Related: Use the "inverted pyramid" for UI text in dialog boxes

Comments