Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Macro file scanning option in InterScan Messaging Security Virtual Appliance (IMSVA)

    • Updated:
    • 6 Apr 2016
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • Platform:
    • CentOS 6 64-bit
Summary

Macro virus is one of the most common types of file infections in Microsoft Office documents and compressed files.

Trend Micro patterns can detect macro viruses. For enhanced security, you may configure your IMSVA to prevent macro viruses from infecting your environment.

Details
Public

Known macro virus included in our pattern are not be a problem, as either VSAPI or ATSE with the latest patterns can detect it out.

For documents with unknown macro threats, an IMSVA administartor can take following optional solutions to enhance security:

  • Option 1: Stripping the macro directly from the document file

    The administator can set IMSVA to strip the macro directly from document. This is considered as the most aggressive solution.

    To know further, refer to this article on Configuring the macro file scanning option using Trend Micro products.

  • Option 2: ATSE Macro Threat Detection

    The ATSE Macro Threat Detection feature may be enabled in IMSVA.

    To know further, refer to this article on Enabling ATSE Macro Threat Detection feature in IMSVA.

    With this option enabled, ATSE can use more aggressive rules to detect the possible macro virus with prefixes as HEUR:

    • With DDAn integrated, IMSVA will send the possible virus to DDAn for future analysis.
    • Wihtout DDAn integrated, IMSVA will treat it as normal virus and take action immediately.
  • Option 3: Advanced File Information (AFI)

    ATSE contains a new feature named Advanced File Information (AFI). It can detect the format of a file. Administrators can use this feature to let ATSE detect macros. IMSVA can then send the detected macro file to DDAn for analysis.

    This option needs IMSVA with DDAn integrated, and set engine to use ATSE. To do this:

    1. Open the imss.ini file in the /opt/trend/imss/config folder using a text editor.
    2. Add the following setting under the General section and set its value to "1":

      [general]
      atse_afi_macro_detect=1

       
      To disable the feature, set "atse_afi_macro_detect=0" which is the default value.
    3. Save the changes and close the file.
    4. Restart scanner service using the following command:

      # /opt/trend/imss/script/S99IMSS restart

    With this setting, IMSVA can send all documents that contain macro to DDAn for analysis.

    If there is no DDAn integrated, IMSVA will only log the info.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy; Remove a Malware / Virus
Solution Id:
1113805
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.