How to assure a MsOffice apps doesn't open up a malicious VBA hidden code

jana
jana used Ask the Experts™
on
We were assisted by EE in a question that made us place this question.  The insert that's reponsable is "it is actually possible to craft a non-addin PowerPoint macro-enabled file".  

That said, is setting our ms office apps to the most secure settings (macro) is the only way to protect ourselves from a powerpoint or word/excel/mail for that matter?  Also, is there a way to view he VBA contents without opening it (powerpoint/excel/wor)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Technical Consultant at BrightCarbon
Commented:
You 'could' disable VBA macros from running at all using GPO to disable VBA for ALL Office apps (see this EE question and other resources online) but the only way to prevent the possibility of code automatically running on a per app/user/session basis is to use File / Options / Trust Center / Trust Center Settings / Macro Settings. When set to the most secure level as below, you can safely open the macro-enabled file and examine the code (assuming the VBA project has not been password protected) without the risk of it running.

Trust Center - Macro Settings
There is no way to see the VBA code without opening the file. You could build an add-in that allowed the macro settings level to be changed with a single button in the ribbon so could could effectively turn it on and off quickly as required instead of the 8-click UI process above! That could toggle between the state above and this one to temporarily allow the running of VBA code:

Trust Center - Macro Settings
It's worth noting that the free PowerPoint viewer does not support the running of macros:

https://www.microsoft.com/en-gb/download/details.aspx?id=13

This is another useful Microsoft article:

https://support.office.com/en-gb/article/Enable-or-disable-macros-in-Office-documents

Finally, you can disable VBA at Office deployment time but that's no use if you already have an installed user base:

https://support.microsoft.com/en-us/help/281954/how-to-turn-off-visual-basic-for-applications-when-you-deploy-office
Commented:
@Jamie
the only way to prevent the possibility of code automatically running on a per app/user/session basis is to use File / Options / Trust Center / Trust Center Settings / Macro Settings.

Apart from the use of the word 'only', even that doesn't work...  see here: http://www.cpap.com.br/orlando/ExcelFreeMore.asp  I've tested this and it does what it says...

:)
Jamie GarrochSenior Technical Consultant at BrightCarbon

Commented:
Interesting find DrTribos. I think the question relates to a standard corporate environment so third party utilities like this one which appears to defeat the Microsoft security rather than prevent the execution of macros will unlikely be present. Nevertheless, I'm curious how that utility works. There doesn't appear to be a command line switch for Excel to prevent macro alerts from being displayed on opening a file and the utility specifically states it does not change any Windows settings. So how does it defeat the macro alerts?
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Commented:
Not sure Jamie, but I tested it and my system was almost fully locked down... and macros ran.  I guess I could've deleted the VBA dll ?!
Jamie GarrochSenior Technical Consultant at BrightCarbon

Commented:
If I was going to create such a utility I would do this:

1. Utility EXE runs and performs these steps:
2. Store the current Windows registry setting for macro security
3. Change the same registry setting to allow macros to run without warnings
4. Open the macro-enabled Office file (no macro messages will be shown and macros can run)
5. Restore the registry setting (macros are still permitted to run on the open file above)

That way, no "permanent" changes are made to the registry. This is the only way I can see such a utility working.

Commented:
I guess Proc Mon would be able to determine if that is what is happening... I might have a closer look when (if) I get the chance.

Author

Commented:
Sorry for the delay!

Thanx!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial