5.10 Preventing Macro Viruses

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 5.  Macro Viruses

5.10 Preventing Macro Viruses

Macro viruses are the number one type of malicious mobile code. Here are some recommendations to prevent them from attacking your environment.

5.10.1 Disable Macros in Documents

To prevent most macro viruses (not including multipartite types), don't open any documents with macros enabled. It's that simple. Case closed. However, this advice hasn't worked for the last five years , especially where large corporate networks are concerned , and there is little reason to expect it should in the future. Plus, there are times when a legitimate macro needs to be executed (installing a new program that interfaces with Office). The following suggestions, in order of decreasing impact, will help lessen your chances of getting infected by a macro virus. All have their side-effect consequences that must be weighed against the benefit in your particular environment.

Disabling macros will sometimes cause Office applications to generate the following message, "The macros in this project are disabled," over and over while working with the document that contains macros.

5.10.2 Upgrade All Versions of Office to the Latest Version

Rarely will you find me pushing anyone to spend money for an unnecessary upgrade. However, if you use Office, the early versions do not warn users of embedded macros and do little to prevent their spread. I recommend that if you are having a problem with macro viruses, upgrade to Microsoft's latest version of Office. It contains strong security against macro viruses, and if the defaults are followed, it will significantly decrease the risk of macro virus attack. Make sure to apply the latest service pack, which as of this publishing is Service Release 2.

5.10.3 Automate Document Scanning

Using an up-to-date virus scanner is a great way to detect and clean macro viruses. Office 2000 allows virus scanners to be hooked into Office so that they take complete control of detecting and preventing macro viruses. Some protected users may want to lower their Office security to low, but I would not recommend it. Macro viruses are coming out too fast and attempting to hide in many new ways that can fool a virus scanner.

An antivirus scanner must be specifically written to take advantage of Office 2000's new antivirus API. You can check to see if an Office-enabled scanner is installed on your system by choosing Tools figs/u2192.gif Macros figs/u2192.gif Security. If a scanner is interacting with Office, you will see the text, " Virus scanner(s) installed. " If you see " No virus scanner installed ," it means that no antivirus product has enabled itself with Office's new APIs. However, depending on the antivirus software you are using, it might still be scanning in the background inspecting every document you open. Check your documentation to confirm.

5.10.4 Set Office Security to High

One of the biggest things you can do to prevent macro viruses is to set Microsoft Office's security to high. To set Office's security, choose Tools figs/u2192.gif Macro figs/u2192.gif Security and choose the appropriate level. At the high level Office automatically disables all macros not explicitly trusted or digitally signed. The document might still be infected with the virus, and other users who open it can still get infected, but at least it doesn't infect your system.

Office 2000's security settings only apply to macros written in VBA. Macro viruses written in other languages that are still able to function in Office 2000, for example, Excel 4.0 macros, are not affected by the security level setting.

At the opposite end of the spectrum, the low security setting offers no protection and runs all macros regardless of legitimacy . Medium security prompts the user for all documents containing unsigned macros, but allows the user (in most cases) to enable the macros if they desire . Most users should have their macro security settings set to High. Administrators and power users may want a Medium security setting so that they can be notified when the document they are working on is infected. This allows them to clean it before sending the document elsewhere.

5.10.5 Locking the VBA Normal Project

If a macro virus can't infect your global document, chances are it will not go far. Sure, it can infect and spread using a normal document, but once the document is closed, the virus is no longer resident in memory. Macro viruses want to infect your global template, so don't let them.

Your Microsoft Word global template is stored as a project called Normal in VBE. You can lock this project from modification and prevent modules from being created, viewed , or copied into the global template. Open up VBE using Alt-F11. Using Project Explorer, select the Normal project. Click on Tools figs/u2192.gif Normal Properties figs/u2192.gif Protection tab figs/u2192.gif check Lock project for viewing. You will need to set a password. Click on File figs/u2192.gif Save Normal to save changes.

Although I prefer the previous method, there is another way to accomplish nearly the same result by password protecting and marking the NORMAL.DOT file as read-only within Word. Open your global template. Choose the Tools Options figs/u2192.gif Save tab and you can make the file read-only and give it a modification password. Save your changes. In earlier versions, this would make Word produce a read-only warning message when started, but this no longer happens. If a virus tries to save to the global template without disabling the read-only feature (there are several ways to do this), it will fail, and your template will remain clean.

5.10.6 Save Normal Template Prompt

When the global template is modified, Word can be configured to notify you that the global template should be saved. Choose Tools figs/u2192.gif Options figs/u2192.gif Save tab, and then check the Prompt to save Normal template option. Then while exiting, if the global template has changed, Word will prompt you to save the template. If you have not intentionally modified it, this might infer that a macro virus is present and should not save it. All documents opened before you are warned that the virus is attempting to modify your global template, which may already be infected.

In 1995, Microsoft released the Macro Virus Protection Tool and its associated ScanProt.dot macros to protect Word versions 6.x and 7.x against early macro viruses. It is not considered a viable protection tool today, and in fact, ScanProt macros are incorporated in many macro viruses.

5.10.7 Confirming Downloads for Office Documents

We talked earlier about how Office may automatically open any document clicked on in a web link or double-clicked on in an email. This occurs because the download confirmation setting is turned off for many main Office file types. You can fix this by downloading Microsoft's Open Office Document Confirmation Tool (see Microsoft Article ID Q238918 ), or make the fix manually. To fix it manually:

  1. Choose My Computer figs/u2192.gif View (or Tools in Windows 2000) figs/u2192.gif Folder Options figs/u2192.gif File Types tab.

  2. Click on a specific file type (such as, Microsoft Word document or Microsoft Excel worksheet) in the Registered file types dialog box.

  3. Click Edit. Select the Confirm open after download checkbox and save.

5.10.8 Rename DEBUG.EXE

Since most users don't use DEBUG.EXE , it can't hurt to rename it or delete it. I prefer renaming so that it can still be used when needed, but can't be automatically executed by macro viruses (and other malicious code types). In Windows NT or 2000, consider removing security access permissions instead.

5.10.9 Word Startup Switches

Word has several different command-line switches that can help prevent the spread of macro viruses. Although they aren't my first choice for complete protection, for some situations they can come in handy. I've used protective command-line switches in versions of Word without any type of macro virus protection. Taking a few minutes to turn on a startup switch can save you a lot of future time. You can modify the menu option or shortcut that starts Word to include one of the following switches:

/a

Prevents add-ins and global templates and add-ins from being automatically loaded

/m

Prevents the loading of automacros

/t templatename

Uses a global template other than NORMAL.DOT

If you use any startup switches within a program shortcut, be sure to include the switch outside the quotation marks of the original command line. For example:

 "C:\Program Files\Microsoft Office\Office\Winword.exe" /a 

There are a few problems with using the /a command-line switch in Office 2000. Choosing this option will also not load .COM add-ins or different Word settings stored in the registry, and lock the Settings file so that no setting changes can be saved. Even worse , it resets the toolbars and Office Assistant back to their defaults (standard and formatting toolbars share one row, and Clipit! will show up again). The only way to get back your customized settings is to stop using the /a switch and reset the options back to where you wanted. Also, the /a option will always prompt for usernames and initials twice, and act like the user is a new user every time Word starts.

If you are sure that you don't have the need for automacros, /m gives a bit of extra security, and prevents many macro viruses from spreading. However, there are many macro viruses that spread without the use of an automacro, and disabling them will sometimes cause other programs that interact with Word to install incorrectly. Use startup switches with caution.

5.10.10 Network Security

Network administrators can use Microsoft's Custom Installation Wizard and the Profile Wizard (located in the Office 2000 Resource Kit ) to modify Office's default security for their users (although most users can change these settings manually after installation). When properly configured in Windows NT 4.0 and Windows 2000 Professional, end users will not be able to change their security options. Administrators can even choose which macros are trusted and which are not. If used correctly, by disabling all macros not previously approved by the network security team, a company can eradicate most macro viruses altogether.

Using these steps will significantly reduce your exposure to macro viruses.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net