Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Antivirus False positive in my VBA Excel Macro

I just ran into an even more annoying problem. Suddenly windows defender started to flag one of my excel files containing VBA macro code(on download from a browser) as being a virus. The specific virus being logged is:

Trojan:O97M/Foretype.A!ml

Googling it reveals the following information:

O97M.Downloader is a generic detection for Microsoft Office macros that download other threats. They are usually contained in other Microsoft Office documents and may arrive on the compromised computer through attachments or after being downloaded from a website.

Great, so once windows defender detects it, it basically shreds the file, and when you attempt to open it, excel claims the file has "been corrupted". I would love to post my VBA file to http://www.virustotal.com however it contains tons of propriety VBA code that cannot be shared with the wider community. I wonder if there's a website that accomplishes the same thing with a different terms and conditions?

This has only started recently and has only affected a few users/clients. I'm not sure the distribution of clients who have this installed and what versions of windows defender they are running. I'm worried the impact of this will increase until a large number of our clients are affected. Even more troubling, often clients can download one version without issue, but when they download the file(identical VBA code) from a different source they encounter the issue, could the download source affect the files likelihood of being flagged?

Main Question

What causes a excel VBA file to be flagged as a "O97M" virus and how do I prevent it from being flagged?

Related Concerns

Should I sign my VBA Macro's, would that affect the virus detection likelihood?

Are they're other common practices that I could change that would affect the likelihood of false positives?

What is a "Trojan:O97M/Foretype.A!ml" exactly? The window page contains so little information it might as well not exists, Symantec is also pretty unhelpful, (maybe I'm massively uninformed here) is there a centralized repository for virus detection? I would imagine that people may not want to share that and it my differ by product, but I'd be interested in any information pertaining to this...

External Libraries

I'm also using the following external code:

https://gist.github.com/brucemcpherson/3414365/

https://www.thespreadsheetguru.com/the-code-vault/2014/4/23/loop-through-all-excel-files-in-a-given-folder

How to use VBA SaveAs without closing calling workbook?

I'm also using the following window functions:

Public Declare PtrSafe Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPtr
Public Declare PtrSafe Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long) As LongPtr
Public Declare PtrSafe Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long, ByVal dwNewLong As LongPtr) As LongPtr
Public Declare PtrSafe Function GetWindowRect Lib "user32" (ByVal hWnd As LongPtr, lpRect As RECT) As LongPtr
Public Declare PtrSafe Function SetWindowPos Lib "user32" (ByVal hWnd As LongPtr, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPtr
Public Declare PtrSafe Function SetParent Lib "user32.dll" (ByVal hWndChild As LongPtr, ByVal hWndNewParent As LongPtr) As LongPtr
Public Declare PtrSafe Function SetForegroundWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDeviceCaps Lib "gdi32.dll" (ByVal hdc As LongPtr, ByVal nIndex As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32.dll" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function ReleaseDC Lib "user32.dll" (ByVal hWnd As LongPtr, ByVal hdc As LongPtr) As LongPtr
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function SetLastError Lib "kernel32.dll" (ByVal dwErrCode As Long) As Long
Public Declare PtrSafe Function GetActiveWindow Lib "user32.dll" () As Long
Public Declare PtrSafe Function DrawMenuBar Lib "user32" (ByVal hWnd As LongPtr) As Long
like image 756
David Rogers Avatar asked Nov 08 '18 17:11

David Rogers


People also ask

What coding language do es Excel macros use to develop malicious macros?

The macros that you create in Excel would be written in the programming language VBA (Visual Basic for Applications).


1 Answers

We reached out to Microsoft and they replied with the following message (Not copy-able in text for some reason):

enter image description here

So I guess this was the JSON VBA logic, and I guess it was resolved(I haven't seen this reoccur), though it's really hard to say.

like image 108
David Rogers Avatar answered Sep 27 '22 23:09

David Rogers