Known macro viruses included in our pattern are not a problem as either VSAPI or ATSE using the latest patterns will be able to detect it. For documents with unknown macro threats, an SMEX administrator can take following optional solutions to enhance security:

• Option 1: Stripping the macro directly from the document file:

  An administrator can set SMEX to strip the macro directly from document. This is considered as the most aggressive solution.

  To know further, refer to KB 0123614.

• Option 2: Macro Threat Detection with Sandbox integration in Deep Discovery Analyzer (DDAN):

  Since SMEX 11 SP1 Patch 1(or SMEX 11 SP1 with Hot Fix Build 4227 ), SMEX has enabled the "HEUR_HAS_MACRO" ATSE rule which is used to detect if an email file attachment contains macros. To use this feature:

  1. Configure SMEX integrate with DDAn by referring to KB 1113902.
  2. Add/modify the Register Key:

     • Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
       Key: EnableMacroRule
       Type: REG_DWORD
       Data value: 1

        

       "1" enables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule.
       "0" the default value, disables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule.

     • Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
       Key: PassMacroRule
       Type: REG_DWORD
       Data value: 0

        

       "1" the default value. SMEX takes the "Pass" action on an email message that triggers the HEUR_HAS_MACRO rule that is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.
       "0" SMEX takes the specified Advanced Threat action on an email message that triggers the HEUR_HAS_MACRO rule which is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.

  With this feature enabled, ATSE can use more aggressive rules to detect the possible macro virus with prefixes as HEUR