ISM-1672 – Technical Resolution Guidance
What is ISM-1672?
Microsoft Office macro antivirus scanning is enabled.
Background
Enabling macro antivirus scanning in Microsoft Office allows antivirus software to check macros in documents for malware. This feature provides extra protection by scanning for malicious code, though it should be used along with other security practices like user awareness, setting macro permissions, and regular updates.
Note: SecurE8 Auditor doesn’t check for alternative macro scanning tools. Microsoft Office 365 apps (Word, Excel, PowerPoint, and Outlook) support integration with third-party antivirus via the Antimalware Scan Interface (AMSI). Organizations using a third-party tool for macro scanning should confirm that it supports AMSI.
Applicability
This control is relevant to the following:
- Maturity Level 1, 2, and 3 Controls
Evaluation Results
Status | Description |
---|---|
Effective | Registry Key is present and set correctly. |
Ineffective | Registry Key is present, but set incorrectly or not present. |
Not Applicable | Microsoft Office is not installed or is not applicable to this device. |
Testing Parameters
The following is a list of Microsoft Office products:
- Microsoft Access 2016 or greater
- Microsoft Excel 2016 or greater
- Microsoft PowerPoint 2016 or greater
- Microsoft Visio 2016 or greater
- Microsoft Word 2016 or greater
Set the registry value:
1 = Enable for low trust documents
2 = Enable for all documents
Policies/Description | Registry Key | Value |
---|---|---|
Macro Runtime Scan | HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security | macroruntimescanscope = 1 or 2 |
Remediation Steps
Using group policy, local or Active Directory, or Intune to set the following policy to Enable for all documents.Group policy: User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope
Enabled >> "Enable for low trust documents" or "Enable for all documents"
Validation Process
Validation that the policy is correctly being applied on the end device.
Risk Consideration
Enabling macro antivirus scanning in Microsoft Office helps reduce the risk of malware by scanning and blocking malicious macros, preventing the execution of harmful code, and providing protection against social engineering attacks. While this control improves security, it's most effective when combined with other measures like user training, regular updates, and strong email filtering to strengthen overall defenses against macro-based threats.