Macro virus is one of the most common types of file infections in Microsoft Office documents and compressed files.
Trend Micro patterns can detect macro viruses. For enhanced security, you may configure your IMSVA to prevent macro viruses from infecting your environment.
Known macro virus included in our pattern are not be a problem, as either VSAPI or ATSE with the latest patterns can detect it out.
For documents with unknown macro threats, an IMSVA administartor can take following optional solutions to enhance security:
- Option 1: Stripping the macro directly from the document file
The administator can set IMSVA to strip the macro directly from document. This is considered as the most aggressive solution.
To know further, refer to this article on Configuring the macro file scanning option using Trend Micro products.
- Option 2: ATSE Macro Threat Detection
The ATSE Macro Threat Detection feature may be enabled in IMSVA.
To know further, refer to this article on Enabling ATSE Macro Threat Detection feature in IMSVA.
With this option enabled, ATSE can use more aggressive rules to detect the possible macro virus with prefixes as HEUR:
- With DDAn integrated, IMSVA will send the possible virus to DDAn for future analysis.
- Wihtout DDAn integrated, IMSVA will treat it as normal virus and take action immediately.
- Option 3: Advanced File Information (AFI)
ATSE contains a new feature named Advanced File Information (AFI). It can detect the format of a file. Administrators can use this feature to let ATSE detect macros. IMSVA can then send the detected macro file to DDAn for analysis.
This option needs IMSVA with DDAn integrated, and set engine to use ATSE. To do this:
- Open the imss.ini file in the /opt/trend/imss/config folder using a text editor.
- Add the following setting under the General section and set its value to "1":
atse_afi_macro_detect=1To disable the feature, set "atse_afi_macro_detect=0" which is the default value.
- Save the changes and close the file.
- Restart scanner service using the following command:
# /opt/trend/imss/script/S99IMSS restart
With this setting, IMSVA can send all documents that contain macro to DDAn for analysis.
If there is no DDAn integrated, IMSVA will only log the info.