Macro Runtime Scan Scope

Information

This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device.
If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior:
- Disable for all files (not recommended): If you choose this option, no runtime scanning of enabled macros will be performed.
- Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files:
- Files opened while macro security settings are set to 'Enable All Macros'
- Files opened from a Trusted Location
- Files that are Trusted Documents
- Files that contain VBA that is digitally signed by a Trusted Publisher
- Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning.
The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.
Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.
If you disable this policy setting, no runtime scanning of enabled macros will be performed.
If you dont configure this policy setting, 'Enable for low trust files' will be the default setting.
Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.

Solution

Policy Path: Microsoft Office 2016\Security Settings
Policy Setting Name: Macro Runtime Scan Scope

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3c.1.

Plugin: Windows

Control ID: 961fc02e8b830852f539b81ddca796581af0d363f1116d394771abd4b6ba979c