Below are the Trend Micro products and their procedures to enable macro file scanning:
To enable protection against macro viruses, please enable the following features:
Predictive Machine Learning
- Log in to the Apex One management console.
- Go Settings > Select Predictive Machine Learning Settings.
- Enable Predictive Machine Learning and Under Detection Settings.
- Click Save.
Newly Encountered Program Protection
Behavior Monitoring works in conjunction with Web Reputation Services and Real-Time Scan to verify the prevalence of files downloaded through web channels, email applications, or Microsoft Office macro scripts. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file.
Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.
Cloud App Security (TMCAS) supports Deep Discovery Analyzer as a Service (DDAaaS). It is a cloud-based web service that acts as an external analyzer.
Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends them to sandbox and then takes an action.
To integrate TMCAS with Deep Discovery Analyzer as a Service (DDAaaS):
- Log in to TMCAS management console.
- Go to Advanced Threat Protection and select ATP Policy.
- Under Virtual Analyzer setting, click Enable Virtual Analyzer, and make sure the setting of Action is configured as following:
- Click Save.
Hosted Email Security (HES) now supports Deep Discovery Analyzer as a Service (DDAaas). It is a cloud-based web service that acts as an external analyzer. Enabling this feature will help to detect macro embedded files. It identifies suspicious files, sends to sandbox and then takes an action.
To integrate HES with DDAaas:
- Log in to HES management console.
- Go to Inbound Protection > Policyand select Virus > Scanning Criteria > Message contains: Malware of Malicious Code.
-
Under Specify advanced settings, tick the Enable Advanced Threat Scan Engine, Perform advanced analysis to identify threats and Include macro scanning during advanced analysis options.
- Click Save.
HES can perform advanced analysis on samples in a closed environment to identify suspicious objects that traditional scanning may not detect. When enabled, HES delays the delivery of the messages until the advanced analysis completes, which may take up to 30 minutes.
To configure IMSS and strip macro files:
For Windows
- Go to TrendMicro/IMSS/Config.
- Edit the imss.ini file using Notepad, and manually add the following:
[virus]
EnableMacroStrip=1 - Restart the IMSS Scan Service to reflect the changes in the setting.
For Linux
-
Backup the /opt/trend/imss/config/imss.ini file then edit it using vi:
vi /opt/trend/imss/config/imss.ini
-
Go to the [virus] section and set the EnableMacroStrip=1 parameter.
Manually add the [virus] section if it doesn't exist. The section and the parameter should look like the following:
[virus]
EnableMacroStrip=1 -
Restart the services using the command:
# /opt/trend/imss/script/imssctl.sh restart
To configure IMSVA and strip macro files:
-
Backup the /opt/trend/imss/config/imss.ini file then edit it using vi:
vi /opt/trend/imss/config/imss.ini
-
Go to the [virus] section and set the EnableMacroStrip=1 parameter.
Manually add the [virus] section if it doesn't exist. The section and the parameter should look like the following:
[virus]
EnableMacroStrip=1 -
Restart the services using the command:
# /opt/trend/imss/script/imssctl.sh restart
You may also refer to the article Enabling ATSE Macro Threat Detection feature in InterScan Messaging Virtual Appliance (IMSVA) for further instructions.
To configure IWSVA and IWSS to block macro files:
- Log in to IWSVA management console.
- Navigate to HTTP > Advanced Threat Protection> Policies.
- Open the Virus /Malware Scan Rule tab.
- Under Blocked These File Types, tick Macros in Microsoft Office compressed by ActiveMime.
- Click Save.
IWSVA and IWSS also support the automatic and global removal of all macros as they cross the FTP and HTTP gateway (for example as an immediate but short term solution to a sudden macro virus outbreak).
To strip macro files:
- Log in to IWSVA management console.
- Navigate to HTTP > Advanced Threat Protection> Policies.
- Open the Action tab.
- Set Clean Action for the File Type Macros.
By default, Macros is set to Pass. Choose Cleanto have IWSVA strip all macros from all files crossing the HTTP gateway, typically in case of a macro virus outbreak, or Quarantineto have IWSVA move all macro containing documents to the quarantine server.
- Click Save.
For more information about MacroTrap on IWSx, you may refer to IWSVA Online Help.
To set the macro scanning options for manual scan:
- Go to Manual Scan.
- Under the Select the scan type, click the Security risk scan link.
- Navigate to Action tab > Advanced Options > Macros.
- Select the Enable advanced macro scan option.
- Choose your preferred detection type:
- Heuristic level
- 1 - Lenient filtering
- 2 - Default filtering
- 3 - Sensitive filtering
- 4 - Rigorous filtering
- Delete all macros detected by advanced macro scan
- Heuristic level
- Click Save.
The Macros in Microsoft Office filesadvanced option can be found in the Scanning Option > Virus Scan module.
The SMD advanced option scans any type of macro under the GenericMacxxxx name and treats it as a virus, regardless if the file contains a plain macro or malware. The action performed on the macro file depends on the settings defined by the user, which is either Pass, Quarantine, or Strip.
To configure SMEX to scan unknown macro viruses:
- Navigate to Security Risk Scan > Action > Advanced Options.
- Click Macros.
- Select the Enable advanced macro scan option.
- Choose a detection type from the following:
- Heuristic level - This option enables you to set the heuristic rules from Level 1 to Level 4.
Trend Micro recommends a heuristic scan level of 2. This level provides a high detection level for unknown macro viruses, a fast scanning speed, and it uses only the necessary rules to check for macro virus/malware strings. Level 2 also has a low level of falsely identifying malicious code in safe macro code.
- Delete all macros detected by advanced macro scan - This option allows SMEX to remove all the macro codes that it detects.
- Heuristic level - This option enables you to set the heuristic rules from Level 1 to Level 4.
- Click Save.
To configure Messaging Security Agent during unknown macro viruses scanning:
- Go to Antivirus > Action.
- Click + to expand the Macros panel.
- Select Enable advance macro scan.
- Choose a detection type:
- Select Heuristic level and assign a level for the heuristic rules.
-
- Level 1 is for the most specific cariteria but can only identify the least macro codes.
- Level 4 recognizes the most macro codes but uses the least specific criteria. It may incorrectly distinguish safe macro code as harboring malicious macro code.
Trend Micro recommends a heuristic scan level of 2. This level provides a high detection level for unknown macro viruses and fast scanning speed. Only essential rules are used to check for macro virus strings. Level 2 also has a low level of incorrectly identifying malicious code in safe macro code. -
- Select Delete all macros detected by advanced macro scanning to have the MSA remove all of the macro codes that it detects.
- Select Heuristic level and assign a level for the heuristic rules.
- Click Save.