Testing or Checking MS Access VBA code for Viruses

Blue Fin
Blue Fin used Ask the Experts™
on
I have an MS Access application split into FE and BE. I need advice on finding a tool which helps me in testing the code for any malicious viruses etc.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Scan it with Windows Defender. Simple and zero cost.

Author

Commented:
@Gustav Brock
I am specifically looking for a utility which scan through VBA code and provides a report at the end.
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
You can use this command line:

C:\Users\You>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "c:\folder\somedatabase.accdb"
Scan starting...
Scan finished.
Scanning c:\folder\somedatabase.accdb found no threats.

Open in new window

it creates a log file too:

C:\Users\You\AppData\Local\Temp\MpCmdRun.log

Open in new window

holding:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"  -Scan -ScanType 3 -File "c:\foldertest\somedatabase.accdb"
 Start Time: ‎ma ‎apr ‎22 ‎2019 22:05:13

MpEnsureProcessMitigationPolicy: hr = 0x1
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: c:\folder\somedatabase.accdb.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path c:\folder\somedatabase.accdb, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
MpScan() started
MpScan() was completed
Finish: MpScanStart(MP_FEATURE_SUPPORTED, dwOptions=16385)
Finish: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path c:\folder\somedatabase.accdb, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
Scanning c:\folder\somedatabase.accdb found no threats.
MpScan() has detected 0 threats.
MpCmdRun: End Time: ‎ma ‎apr ‎22 ‎2019 22:05:13
-------------------------------------------------------------------------------------

Open in new window

It will also scan an accde file holding no literal code.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

John TsioumprisSoftware & Systems Engineer

Commented:
Well -if i got this right - getting an application to tell you if the code you have has malicious purposes or not is quite difficult.
For example you have a simple method that deletes files...if you "expand" it to delete every single file in your hard drive i reckon is hard for any antivirus solution to "snif" that you have such evil intentions...after all in order for this to run you have granted permissions ...its pretty much like letting your kid on your computer and suddenly decides that opening Explorer and hitting that Delete button is FUN!!
For start ...just don't open any macro enabled application (Access) right away..at least hold Shift to take a look on the stuff that work right when application starts..if you have 2nd doubts ...transfer (import) the application to another (new) Access and take your time examining the code on it might or might not do...
Then you could search the code at first for References ...mostly of the "extra" stuff need some helping hand so probably you will references that out of the ordinary...then you need to search the code for any possible system interaction ...usually the best way to handle "strange" applications is to have a handy sandboxed VM and let it have the burden of the execution.
Based on the "recent" outbreak of VBA -based ransomware it can be quite hard for an antivirus to spot a malicious pattern while human inspection with all the fake loops and strange jumps is something for concern.
Lastly but not least....if someone has the expertize and wants to make some damage he can always find a way to do it..
Take a look at this piece of code
NativeCode = _
            "XYQPSWQ[T_S\\[S\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX- %uUPXX-%ueeT[PXX-E%%ePXX-uu0E-uu0EPXX-eeE%PXX-%e%uPXX-eeE PXX-%eE PXXX@@fX<0tF4+&4+2'&,V/PCp@-''2V/5+1''3V/ys 1S CCCuRfI>_ltcDPC@KCQcBnIAGBqcDPO@GBE@KCqc@YMQHUqp@dQ^AAAAGBUBISExD]MQQ=OYHAQ@\EAA@eiQDeiQHMIqFeiQLMIqHeiQPMIqHeiQTMIqHeiQXucOAAAAMcY^AAAAIsEHDEQCAeE@AeEC?GGCPCXM@BeqDAAoAAEA@KMC@azC@IAaBB@Ax[AABAiqXAqa<QCC@UFLwREHTIAA@AA\jmIPdqpaxBA\\mITdQqcRmiEMKX^AAAAf\MAIAQcP  TKKp>RPQM@JMH@azA@IAaBRCAHAAA@qjE@AA>JAAAxnAA@qCB@AADMAAAtuAA@QTB@AAlNAAAhAAA@UtclNIpt^]P<[VPXKpcEp>bPpQcU ?bM ? ypCAuPqM@n_LKWDBCkoAtTPajbaA@AQ\MmYRxBY_tAQ\DMBqkbp>uPp>u@p>upq>u pcU ??rpscM ??QPucevdqPAAePWtclNIppbG<AAAAhB L@AQWIWE>sA]cE ?bU ?bMpnpDEpU?WE?KWE?KWD>FRaAU<_PxnYRxnYP<[M@Hmy>E ?bU ?bMpnpDE@z?WE?KWE?KWD>FRaAS<_PxnYRxnYP<[M@HMy>E ?bU ?bMpnpDEP^?WE?KWE?KWD>FRaAT=_PxnYRxnYP<[M@HAq>E ?bU ?bMpnpDEP\?WE?KWE?KWD>FRaAK=_PxnYRxnYP<[M@Haz>E ?bU ?bMpnpDE @?WE?KWE?KWD>FRaA@<_PxnYRxnYP<[M@HAq>E ?bU ?bMpnpDE@a?WE?KWE?KWD>FRaAY<_PxnYRxnYP<[M@Hut>E ?b" & _
            "U ?bMpnpDEpW?WE?KWE?KWD>FRaAB>_PxnYRxnYP<[M@Hqq>E ?bU ?bMpnpDE@A?WE?KWE?KWD>FRaAK?_PxnYRxnYP<[M@HUt>E ?bU ?bMpnpDE@B?WE?KWE?KWD>FRaAC?_PxnYRxnYP<[M@HI=?E ?bU ?bMpnpDE@@?WE?KWE?KWD>FRaAK?_PxnYRxnYP<[M@HIp>E ?bU ?bMpnpDEPc?WE?KWE?KWD>FRaAU<_PxnYRxnYP<[M@Hq>?E ?bU ?bMpnpDEpa?WE?KWE?KWD>FRaAz<_PxnYRxnYP<[M@HQq>E ?bU ?bMpnpDE@A?WE?KWE?KWD>FRaAu<_PxnYRxnYP<[M@Hip>E ?bU ?bMpnpDEPo?WE?KWE?KWD>FRaAC=_PxnYRxnYP<[M@HAq>E ?bU ?bMpnpDE@A?WE?KWE?KWD>FRaA@=_PxnYRxnYP<[M@Hmy>E ?bU ?bMpnpDEPP?WE?KWE?KWD>FRaAL=_PxnYRxnYP<[M@Hey>E ?bU ?bMpnpDEpq?WE?KWE?KWD>FRaAC?_PxnYRxnYP<[M@HA=?E ?bU ?bMpnpDE@B?WE?KWE?KWD>FRaAy=_PxnYRxnYP<[M@Hiu>E ?bU ?bMpnpDE@C?WE?KWE?KWD>FRaAt<_PxnYRxnYP<[M@Haq>E ?bU ?bMpnpDEPA?WE?KWE?KWD>FRaAX=_PxnYRxnYP<[M@HMy>E ?bU ?bMpnpDE@q?WE?KWE?KWD>FRaAD=_PxnYRxnYP<[M@HEu>E ?bU ?bMpnpDEp;?WE?KWE?KWD>FRaAs>_PxnYRxnYP<[M@HMy>E ?bU ?bMpnpDE ^?WE?KWE?KWD>FRaAD=_PxnYRxnYP<[M@HAq>E ?bU ?bMpnpDEP\?WE?KWE?KWD>FRaAF=_PxnYRxnYP<[M@Hmy>E ?bU ?bMpnpDEPR?WE?KWE?KWD>FRaAL=_PxnYRxnYP<[M@" & _
            "Hey>E ?bU ?bMpnpDE R?WE?KWE?KWD>FRaAD=_PxNRsIwE<ifL@@Aq[EPNFACMNs^EAIWE=KWD?KwE>FRQEK?_PxnYPxnYT<[M@Buu>E ?bM ?bEpnpDaAE?WE?KWD?KwE>FRQEA?_PxnYPxnYT<[M@Bev>E ?bM ?bEpnpDaAA?WE?KWD=JkAaa>?bE ?bUpNcLIq>E ?bM@>bAEM;HQs>KWD?KwE>HSQE?WE?KWE=KCPqjB@ab>?bM ?bEpNcTaq>E ?bU@>bJE];XAYy?oYPxnYT<cIBB=_PxnYRxnYP<[M@HUv>E ?bU ?bMpnpDEpN?WE?KWE?KWD>FRaAA?_PxnYRxnYP<[M@Hev>E ?bU ?bMpnpDE@@?WE?KWE=JCD@@K??KwE?KWE>HS@C?WE?KWD=KkE@AfOC@G??KWE?KWD>HsaA?WE?KwE=KGE@AbOEd=?bU ?bMpNcDEp>E ?bE@>bPPQqjb@ab>?bM ?bEpNcTaq>E ?bU ?bMpnpDEP\?WE?KWE?KWD>FRaAv=_PxnYRxnYP<[M@HEy>E ?bU ?bMpnpDEP_?WE?KWE?KWD>FRaAH=_PxnYRpjYQHQs>KWD?KwE>HSQE?WE?KWE=KCDCAjOC@K??KwE?KWE>HS@C?WE?KWD=KkECAfOE@G??KWE?KWD>HsaA?WE?KwE=KGECAbOGd=?bU ?bMpNcDEp>E ?bE ?bUpnpDIQ\?WE?KwE?KWE>FRACm=_PxnYTxnYR<[M@QEy>E ?bE ?bUpnpDIQ_?WE?KwE?KWE>FRACL=_PxnYTpjiSLAYy?oYPxnYT<cIBB=_PxnYRpnYQLEM;HQs>KWD?KwE>HSQE?WE?KWE=KCDBAjOE@K??KwE?KWE>HS@C?WE?KWD=KkEBAfOG@G??KWE?KWD>HsaA?WE?KwE?KWE>FRACu<_PxnYTxnYR<[M@QQs>E ?bE ?bUpnpDIqc?WE?KwE?KWE>" & _
            "FRACE<_PxnYTxnYR<[M@Qq>?E ?bE ?bUpnpDIqc?WE?KwE?KWE>FRACP<_PxnYTxnYR<[M@QQq>E ?bE ?bUpnpDIQa?WE?KwE?KWE>FRACB>_PxnYTtnisAJ?@kElcDUHRs^EAABoAd=?bU ?bMpNcDEp>E ?bEP>bPFMyCmcqKsQ LL>Q@E]yBE]?HAYy?oYPxnYT<cIBB=_PxnYRtnYqAF?@ka=bTuIRs^EAAJoAAjNE@K??KwE?KWE>HS@C?WE?KWD<Kk]qbNqKQnI@Usu=G@Qq KQqxb@H?oYTxnYR<cI@Q=_PxnYPxnYT<[M@Bmy>E ?bM ?bEpnpDaQR?WE?KWD?KwE>FRQET=_PxnYPxnYT<[M@Bey>E ?bM ?bEpnpDaQE?WE?KWD?KwE>FRQEK?_PxnYPxnYT<[M@BUu>E ?bM ?bEpnpDaAD?WE?KWD?KwE>FRQEK?_PxnYPxnYT<[M@BAp>E ?bM ?bEpnpDaaU?WE?KWD?KwE>FRQEK?_PxnYPxnYT<[M@Biq>E ?bM ?bEpnpDaq>?WE?KWD?KwE>FRQEQ<_PxnYPxnYT<[M@BQq>E ?bM ?bEpnpDaqM?WE?KWD?KwE>FRQE@>_PxnYPxnYT<[M@Bet>E ?bM ?bEpnpDaQV?WE?KWD?KwE>FRQE[<_PxnYPxnYT<[M@BI=?E ?bM ?bEpnpDaAB?WE?KWD?KwE>FRQE@=_Px>_PtnYPtnR@XG?Q@= aXm>??oYTxnYR<[M@Qmy>E ?bE ?bUpnpDIQR?WE?KwE?KWE>FRACT=_PxnYTxnYR<[M@Q]=?E ?bE ?bUpnpDIQA?WE?KwE?KWE>FRAC@=_PxnYTxnYR<[M@QAq>E ?bE ?bUpnpDIAA?WE?KwE?KWE>FRAC@=_PxnYTxnYR<[M@Qaz>E ?bE ?bUpnpDIaA?WE?KwE?KWE>FRAC@<_PxnYTxnYR<[M@QAq>E ?bE ?b" & _
            "UpnpDIAa?WE?KwE?KWE>FRACK?_PxnYTxnYR<[M@QA=?E ?bE ?bUpnpDIqc?WE?KwE?KWE>FRAC@>_PxnYTxnYR<[M@Qet>E ?bE ?bUpnpDIQV?WE?KwE?KWE>FRAC[<_PxnYTxnYR<[M@QI=?E ?bE ?bUpnpDIAB?WE?KwE?KWE>FRAC@=_PxnYTxnYR<[M@QAx>E ?bEp>bevtqUlIzQlYPHMIqDmIEIWD>KwE>CgF@@UVCKWECKWD>IKE@KC=b@nYR<oYA?GQW]HM@@AHePOTTKs?TCwFD@UvCxKAQ@AYW]ldqLAqcUpqaBRqcReYT<Oi_DAQ\ZezA@AAAKWEBIO= @rQOJ @\HEAGCCM@Al?<CkF@@Uf@KwEBIkE@KwEEAgFA@AAA@UvNAgF@@AAA@UfLAgFC@BAA@UVJAgFB@AAAFTFHKWE>KCD@AKMA@AAAKwEDIGpcEPpcPItcJ=_UDMBqYttWBrAAKwEEAgFA@QaA@UvNAgF@@AAA@UfLAgFC@BAA@UVJAgFB@AAAFTFHKWE>KCD@AKMA@AAAKwEDIGpcEPpcPItcJ=_UDMBqYttWBrAAKwEDGFAA@AAAxKAQ@Ayc@nIqYttWBrAAPWtclFtcE pa@RqcPeYT<oYR<OY_DAQ\ImYPHmYT<giQDmIqKC=bMp>bA=_AYtdqDAAePCXTKs? DR>TKWECCCM@KCPcUp>bMp> yPAAudqcE pcUp^cBPqcMp>?ImYP<OIO@=P aCAA@mYT<Oi_LAqBDSHA@AqcMp>bApqaxpCAt rcUp>bJpq>qpc[<oYP<oIUL=o]pmYR<oYQL=OUHlYT<oiSLMBqIGEJKWD>KkEBCgBAtxqcEp>bPpqcJEtcA=OUHmYT<oiSLmYQ@dYPxnYT<oiSDEY;DFAA@eYRtnYP<?O]LmYT<oiSLmYAPlIE?KDDKWE?KwE<Is_V[LIpDaGA@CAAj@QUS<OyKC=b@nYR" & _
            "<oYA[lYx]HM@@AHeUlIzQlYPHMIqDmIEIWD>KC=b@bZA@@AaYtdqHAAePCXTKs_UKWECCCM@KCPcUp>b@nIqxGAQ@AYW]HME@AHePWtclFtcE pa@RqcPeYT<OY^TEA\JaZA@@AainRA@AqcU@pcJYwayeE\KmYPPmIEfLiOiTFXKwEEKGaXCcfANPFBKWDEKkaXCgfAnTFRKWEEKC YCkF@IPFBKwEEKGaXCcF@iTFLKWDEKkaXCgf@TPFBKWEEKC YCkf@tTFFKwEEKGaXCcFC@UFEKWDFGJQA@AAAsA];ABAA@mYTPmiCfLYOSPvBKWEEKC YCkr]OUYe@AAAKwEEKGaXCcfACPFBKWDEKkaXCgfAcTV_KWEEKC YCkF@RPFBKwEEKGaXCcF@rTVYKWDEKkaXCgf@OPFBKWEEKC YCkf@oTVSKwEEKGaXCcFCLPFBKWDEKkaXCgFClTVMKWEEKC YCkfCLPFBKwEEKGaXCcfClTVGKWDEKkaXCgFB@UVBKWEFGBaA@AAAsA=zVmYT\]mA?????cj@@IAakZqc@nIqsA]W]HMG@AXTKs? Db=bE pa@RqcPeYT<OY^LEqBEkiA@AqcMppay pAthAoNAaA@g_uCAAACwFI@QFCKWDIf\mAAAqcMppcAYNQaAE\OmYT\miCKGEKKCPcU ?zKmYR\mYAKCDKIWD?KwEFKGa<@D@Qt<pcUppcJmYQXmIEIWD<knqcMppcAmIUXeYTtnYR<OYqnDt>u ??UP^cE@>bEp> @>GU?WD=IWEzKWD>AK] @AAAR<_TpfYPhnYR<GYqNCAA@Et>up??UP^cEP_bE@OUjDq>UPo[PlYT KtcJ=_ULmYT<giQLmYP<Wag@AAAP<_TpnYR<oYULeiQdmYP<WQi@AAAPlYR<oYQL=O]d=_TtnYT<oiSLeYQDlYP<WQm@AAAPlYT<oiSL=_]d=_TtnYT<oiSLeYQHlYP" & _
            "<oIQLMbuICDKse]cMp<bEppcPeYTXnYRX>plAubA@@AA?E@\ALI;BQFMHPVDCcoBtHu;ZtsA@@AAtHpahzA\AlORKWDwKkECIwEvkFucE =bP pcJeYR\nOLKWEwO=KUHeYT\nOKKwEwKGECO=KEIWDvkjpcM =L@jYQHeYP\n_BKWDwKkECsAmcAeYP\nYT<oiSLmYP\fYQpmYT<oiSLY]QtEqcEp^@@BAA@At>u ??UP>bUp>bJpQcA@ucEp>bPpqcM@_cJmYP<oIULmYRpfiS<lYP<oIULmYRtfiSxmYP<oIULmYRxfiSXmYP<oIULmYRlfiS\mYP<oIULmYRhfiS lYP<oIULmYRHeiShmYPHmIEKkEFIwEtsA]cE@<bUP<@U@\azYVPXKP\MmYRTNQRPnYP<gYAkrq>E@\a=ALs@AAA<e<?uPl[<oYT<oiSL=_]pmYP<oIUL=oUHlYR<oYULeiQlMBqi>UA@AQ;MDAA@MY^LIqBEOUA@AaXCwFGBQfBfLY^XMA\GYwa=aPAuxucMppay @AthAoNAaA@gOKAAAACwFI@QFHKWDIf\mAKAqcMp>bApAaxPBAtTqaJ>?zBMbuKWEIfdIUHmoCx;@ABAY;tBAA@MBqivOA@AaXCwFGD=P UBAA@mYT\Mi_HEA\JajB@IAai>LA@AqMRfYTLnYR\mYAIWEsKWDsO]jCAgnA@@AA?Y@\LLY;BQvOIPFICgOCtdwaiZA\Hlo_Ag?@@@AAt\paibA\aLY;FQVQkZwcE <bP PcUp=z[lYRHnYQHmIEIWDrkzucM <C?FECIWErkJucU <bJ pB?FQcEp=ztmYTHNRsJkECIwErk^scE <bP pMIjiCIwErkbpcE <C?BDCIWDrkrqcM <bA pB?BPcUp= =qMAOUXqCG_AKWE>KCDBHkELsA=zMazA@IAakZqc@nIqsA=bevdqdAAePCHA@AAA@AAA@iAA" & _
            "@AAA@AAAC@qZ@AFAy@a]@eGAg@A[@QFA @qT@EGAy@aZ@UGA @AU@aGAi@AZ@qGAi@A]@MFA @qJ@ACAi@AT@UGAc@A[@ACAM@QY@MFAt@QX@IFAs@AI@IBApAAM@aBA@AAA@]UXttuZdTFZe TYnPGZeDEAOpUPsIBAOpUPATF\sIBAC<vPePVRapGZoLGAULTPRLbM@MUYlpwTixGXo\FUr<vYA@qUePvTixGXo\FRoxwXA@aTiHF\uDGZFHVXe@AA0"
      

Open in new window

It might appear as garbage but its pure machine code executed via VBA and essentially it disable mouse scroll wheel without the need for extra dll or anything ...just this mumbo jumbo huge string and a few API calls to place it on memory and execute it.

Author

Commented:
@Gustav Brock
Thanks for detailed explanation I guess I can use Norton in the same fashion....

@John,
Now I am getting the picture and I agree you can not test the intent of the programmer as all...just for your opinion on utilities out there such as:

1. Checkmarx CxSAST
2. Veracode

They say that they have complete code coverage as far as finding malicious code is concerned....ans that's where I get confused. There services are also not very cheap.
John TsioumprisSoftware & Systems Engineer

Commented:
@Blue Fin i must be honest on this...i have never ever heard them ...so not even a chance on working on them...but i would say that :
IF...a big if...if they were so good at what they do they would come out of the dark and dominated the security scene...with all the ransomware/malware/virus people are screaming for protection at any cost ...and from the looks on their site ..their main objective is to protect your software from having bugs that will compromise its functionality or even more...for the 1st the CxIAST might do what you want but again without first hand knowledge i can't advise on this...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial