Improvements to Office malware protection


Microsoft has finally added their Antimalware Scan Interface (AMSI) into the Office 365 programs, including Word, Excel and PowerPoint.

This technology is designed to check VBA and other programming code when it’s opened and before running.  It’s a runtime check separate from any document scanning done by Windows Defender.

Source: Microsoft

AMSI was first released back in 2015 for Windows PowerShell to check to nasty scripts before they are unleashed on Windows.

It’s designed to look at what code is actually trying to do behind clever obfuscation.  Code obfuscation converts easily read and understood code into something difficult to understand, but still works.

By looking at the codes real behavior, AMSI aims to stop malicious code before it does any damage.

Source: Microsoft

New malware detection is automatically shared with Microsoft which, in turn, shares the new risk with other Office 365 users and cloud based malware scanners for email etc.

Who gets AMSI?

Microsoft hasn’t been specific about the versions of Office which get the new AMSI protection.  They’ve only said:

“AMSI integration is now available and turned on by default on the Monthly Channel for Office 365 client applications including Word, Excel, PowerPoint, Access, Visio, and Publisher.

The Monthly Channel link is to Office 365 ProPlus however there’s no build/version reference.  By ‘Office 365 client applications’ we’re assuming (for the moment) they mean Office desktop for Windows.

We’ve asked Microsoft for clarification, in particular whether Office 365 consumers on Home, Personal, University or Education are also protected.  We’ve not had a response at the time of publishing.

Windows only

We think this only applies to Office desktop applications.  Not Windows 10 apps (which don’t have macro support) nor Office for Mac (which does have VBA).

Again, we’ve asked Microsoft for clarification.

Macro protection only

AMSI is just one part of anti-virus, malware protection.  It’s targeting malicious VBA code in Office, not other types of non-code hacks.  AMSI would not have stopped the Equation Editor attack and many hacked .doc files.

Use Windows Defender and your own caution about incoming documents, AMSI is another level of defence.

Not all documents are protected

Only ‘untrusted’ documents are checked with AMSI.  The following types of documents are NOT normally checked.

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from trusted locations
  • Trusted documents
  • Documents with VBA that is digitally signed by a trusted publisher

These exclusions make sense from a performance point-of-view.  However if a malicious document gets into a trusted folder, Office won’t do an AMSI check when it’s opened.

If a hacker manages to get a trusted publisher certificate or trick users into trusting their certificate, that could be another opportunity.


Want More?

Office Watch has the latest news and tips about Microsoft Office.  Delivered once a week.