Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Macro file scanning option in ScanMail for Microsoft Exchange (SMEX)

    • Updated:
    • 10 May 2016
    • Product/Version:
    • ScanMail for Exchange 11.0
    • ScanMail for Exchange 12.0
    • Platform:
    • Windows 2008 Standard 64-bit
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
Summary

Macro virus is one of the most common types of file infections in Microsoft Office documents and compressed files.

Trend Micro patterns can detect macro viruses. For enhanced security, you may configure your SMEX to prevent macro viruses from infecting your environment.

Details
Public

Known macro viruses included in our pattern are not a problem as either VSAPI or ATSE using the latest patterns will be able to detect it. For documents with unknown macro threats, an SMEX administrator can take following optional solutions to enhance security:

  • Option 1: Stripping the macro directly from the document file:

    An administrator can set SMEX to strip the macro directly from document. This is considered as the most aggressive solution.

    To know further, refer to KB 0123614.

  • Option 2: Macro Threat Detection with Sandbox integration in Deep Discovery Analyzer (DDAN):

    Since SMEX 11 SP1 Patch 1(or SMEX 11 SP1 with Hot Fix Build 4227 ), SMEX has enabled the "HEUR_HAS_MACRO" ATSE rule which is used to detect if an email file attachment contains macros. To use this feature:

    1. Configure SMEX integrate with DDAn by referring to KB 1113902.
    2. Add/modify the Register Key:
        • Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
          Key: EnableMacroRule
          Type: REG_DWORD
          Data value: 1

           
          "1" enables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule.
          "0" the default value, disables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule.
        • Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
          Key: PassMacroRule
          Type: REG_DWORD
          Data value: 0

           
          "1" the default value. SMEX takes the "Pass" action on an email message that triggers the HEUR_HAS_MACRO rule that is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.
          "0" SMEX takes the specified Advanced Threat action on an email message that triggers the HEUR_HAS_MACRO rule which is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.

    With this feature enabled, ATSE can use more aggressive rules to detect the possible macro virus with prefixes as HEUR

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1114120
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.