ISM-1672 – Technical Resolution Guidance

What is ISM-1672?

Microsoft Office macro antivirus scanning is enabled.

Background

Enabling macro antivirus scanning in Microsoft Office allows antivirus software to check macros in documents for malware. This feature provides extra protection by scanning for malicious code, though it should be used along with other security practices like user awareness, setting macro permissions, and regular updates.
Note: SecurE8 Auditor doesn’t check for alternative macro scanning tools. Microsoft Office 365 apps (Word, Excel, PowerPoint, and Outlook) support integration with third-party antivirus via the Antimalware Scan Interface (AMSI). Organizations using a third-party tool for macro scanning should confirm that it supports AMSI.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveRegistry Key is present and set correctly.
IneffectiveRegistry Key is present, but set incorrectly or not present.
Not ApplicableMicrosoft Office is not installed or is not applicable to this device.

Testing Parameters

The following is a list of Microsoft Office products:

  • Microsoft Access 2016 or greater
  • Microsoft Excel 2016 or greater
  • Microsoft PowerPoint 2016 or greater
  • Microsoft Visio 2016 or greater
  • Microsoft Word 2016 or greater
All office versions including 2016, 2019 and 365 are considered 2016.

Set the registry value:
1 = Enable for low trust documents
2 = Enable for all documents
Policies/Description Registry Key Value
Macro Runtime ScanHKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\securitymacroruntimescanscope = 1 or 2

Remediation Steps

Using group policy, local or Active Directory, or Intune to set the following policy to Enable for all documents.
Group policy: User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope
Enabled >> "Enable for low trust documents" or "Enable for all documents"

Validation Process

Validation that the policy is correctly being applied on the end device.

Risk Consideration

Enabling macro antivirus scanning in Microsoft Office helps reduce the risk of malware by scanning and blocking malicious macros, preventing the execution of harmful code, and providing protection against social engineering attacks. While this control improves security, it's most effective when combined with other measures like user training, regular updates, and strong email filtering to strengthen overall defenses against macro-based threats.