Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring the macro file scanning option using Trend Micro products

    • Updated:
    • 20 Oct 2016
    • Product/Version:
    • Cloud App Security 1.0
    • Hosted Email Security 2.0
    • InterScan Messaging Security Suite 7.1 Linux
    • InterScan Messaging Security Suite 7.1 Windows
    • InterScan Messaging Security Suite 7.5 Windows
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Suite 3.1 Linux
    • InterScan Web Security Suite 3.1 Windows
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • PortalProtect 2.0
    • PortalProtect 2.1
    • ScanMail for Exchange 11.0
    • ScanMail for Exchange 12.0
    • ScanMail for IBM Domino 5.6 Windows
    • ScanMail for Lotus Domino 5.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Server
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Standard
Summary

Macro virus is one of the most common types of file infectors in Microsoft Office documents and compressed files. This virus type can spread between DOS, Windows, Macintosh, and OS/2 systems. It could even travel by email.

Trend Micro patterns can detect macro viruses. For enhanced security, you may configure your system to prevent macro viruses from infecting your environment.

Details
Public

Below are the Trend Micro products and their procedures to enable macro file scanning.

Hosted Email Security (HES) now supports Deep Discovery Analyzer as a Service (DDAaas). It is a cloud-based web service that acts as an external analyzer.

Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends to sandbox and then takes an action.

To integrate HES with DDAaas:

  1. Log in to HES management console.
  2. Go to Inbound Protection > Policy and select Virus > Scanning Criteria.
  3. Under Specify advanced settings, tick the Enable Advanced Threat Scan Engine, Perform advanced analysis to identify threats and Include macro scanning during advanced analysis options.

    Specify advanced settings

    Click image to enlarge.

  4. Click Save.

HES can perform advanced analysis on samples in a closed environment to identify suspicious objects that traditional scanning may not detect. When enabled, HES delays the delivery of the messages until the advanced analysis completes, which may take up to 30 minutes.

To configure IMSS and strip macro files:

For Windows

  1. Go to TrendMicro/IMSS/Config.
  2. Edit the imss.ini file and add the following using Notepad:

    [virus]
    EnableMacroStrip=1

  3. Restart the IMSS Scan Service to reflect the changes in the setting.

For Linux

  1. Go to /opt/trend/imss/config/imss.ini.
  2. Edit the imss.ini file and add the following using Notepad:

    [virus]
    EnableMacroStrip=1

  3. Restart the services using the command:

    # /opt/trend/imss/script/imssctl.sh restart

To configure IMSVA and strip macro files:

  1. Go to /opt/trend/imss/config/imss.ini.
  2. Edit the imss.ini file and add the following using Notepad:

    [virus]
    EnableMacroStrip=1

  3. Restart the services using the command:

    # /opt/trend/imss/script/imssctl.sh restart

You may also refer to the article Enabling ATSE Macro Threat Detection feature in InterScan Messaging Virtual Appliance (IMSVA) for further instructions.

To configure IWSVA and IWSS to block macro files:

  1. Log in to IWSVA management console.
  2. Navigate to HTTP > Advanced Threat Protection > Policies.
  3. Open the Virus /Malware Scan Rule tab.
  4. Under Blocked These File Types, tick Macros in Microsoft Office compressed by ActiveMime.
  5. Click Save.

    Blocking macro files

IWSVA and IWSS also support the automatic and global removal of all macros as they cross the FTP and HTTP gateway (for example as an immediate but short term solution to a sudden macro virus outbreak).

To strip macro files:

  1. Log in to IWSVA management console.
  2. Navigate to HTTP > Advanced Threat Protection > Policies.
  3. Open the Action tab.
  4. Set Clean Action for the File Type Macros.

    By default, Macros is set to Pass. Choose Clean to have IWSVA strip all macros from all files crossing the HTTP gateway, typically in case of a macro virus outbreak, or Quarantine to have IWSVA move all macro containing documents to the quarantine server.

  5. Click Save.

    Stripping macro files

For more information about MacroTrap on IWSx, you may refer to IWSVA Online Help.

To set the macro scanning options for manual scan:

  1. Go to Manual Scan.
  2. Under the Select the scan type, click the Security risk scan link.
  3. Navigate to Action tab > Advanced Options > Macros.
  4. Select the Enable advanced macro scan option.
  5. Choose your preferred detection type:
    • Heuristic level
      • 1 - Lenient filtering
      • 2 - Default filtering
      • 3 - Sensitive filtering
      • 4 - Rigorous filtering
    • Delete all macros detected by advanced macro scan
  6. Click Save.

The Macros in Microsoft Office files advanced option can be found in the Scanning Option > Virus Scan module.

The SMD advanced option scans any type of macro under the GenericMacxxxx name and treats it as a virus, regardless if the file contains a plain macro or malware. The action performed on the macro file depends on the settings defined by the user, which is either Pass, Quarantine, or Strip.

To configure SMEX to scan unknown macro viruses:

  1. Navigate to Security Risk Scan > Action > Advanced Options.
  2. Click Macros.
  3. Select the Enable advanced macro scan option.
  4. Choose a detection type from the following:
    • Heuristic level - This option enables you to set the heuristic rules from Level 1 to Level 4.
       
      Trend Micro recommends a heuristic scan level of 2. This level provides a high detection level for unknown macro viruses, a fast scanning speed, and it uses only the necessary rules to check for macro virus/malware strings. Level 2 also has a low level of falsely identifying malicious code in safe macro code.
       
    • Delete all macros detected by advanced macro scan - This option allows SMEX to remove all the macro codes that it detects.
  5. Click Save.

To configure Messaging Security Agent during unknown macro viruses scanning:

  1. Go to Antivirus >Action.
  2. Click + to expand the Macros panel.
  3. Select Enable advance macro scan.
  4. Choose a detection type:
    1. Select Heuristic level and assign a level for the heuristic rules.
        • Level 1 is for the most specific cariteria but can only identify the least macro codes.
        • Level 4 recognizes the most macro codes but uses the least specific criteria. It may incorrectly distinguish safe macro code as harboring malicious macro code.
       
      Trend Micro recommends a heuristic scan level of 2. This level provides a high detection level for unknown macro viruses and fast scanning speed. Only essential rules are used to check for macro virus strings. Level 2 also has a low level of incorrectly identifying malicious code in safe macro code.
    2. Select Delete all macros detected by advanced macro scanning to have the MSA remove all of the macro codes that it detects.
  5. Click Save.

Cloud App Security (TMCAS) supports Deep Discovery Analyzer as a Service (DDAaaS). It is a cloud-based web service that acts as an external analyzer.

Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends them to sandbox and then takes an action.

To integrate TMCAS with Deep Discovery Analyzer as a Service (DDAaaS):

  1. Log in to TMCAS management console.
  2. Go to Advanced Threat Protection and select ATP Policy.
  3. Under Virtual Analyzer setting, click Enable Virtual Analyzer, and make sure the setting of Action is configured as following:

    Virtual Analyzer Settings

  4. Click Save.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
0123614
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.