Macro virus is one of the most common types of file infections in Microsoft Office documents and compressed files.
Trend Micro patterns can detect macro viruses. For enhanced security, you may configure your SMEX to prevent macro viruses from infecting your environment.
Known macro viruses included in our pattern are not a problem as either VSAPI or ATSE using the latest patterns will be able to detect it. For documents with unknown macro threats, an SMEX administrator can take following optional solutions to enhance security:
- Option 1: Stripping the macro directly from the document file:
An administrator can set SMEX to strip the macro directly from document. This is considered as the most aggressive solution.
To know further, refer to KB 0123614.
- Option 2: Macro Threat Detection with Sandbox integration in Deep Discovery Analyzer (DDAN):
Since SMEX 11 SP1 Patch 1(or SMEX 11 SP1 with Hot Fix Build 4227 ), SMEX has enabled the "HEUR_HAS_MACRO" ATSE rule which is used to detect if an email file attachment contains macros. To use this feature:
- Configure SMEX integrate with DDAn by referring to KB 1113902.
- Add/modify the Register Key:
-
Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
Key: EnableMacroRule
Type: REG_DWORD
Data value: 1"1" enables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule.
"0" the default value, disables the HEUR_HAS_MACRO Advanced Threat Scan Engine rule. -
Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
Key: PassMacroRule
Type: REG_DWORD
Data value: 0"1" the default value. SMEX takes the "Pass" action on an email message that triggers the HEUR_HAS_MACRO rule that is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.
"0" SMEX takes the specified Advanced Threat action on an email message that triggers the HEUR_HAS_MACRO rule which is not analyzed or cannot be analyzed by the Deep Discovery Advisor server.
-
With this feature enabled, ATSE can use more aggressive rules to detect the possible macro virus with prefixes as HEUR
