How to block Excel files which contain Excel 4.0 Macros

How to block Excel files which contain Excel 4.0 Macros

16805
Created On 08/03/20 05:47 AM - Last Modified 06/02/22 20:27 PM


Symptom


We observe that Excel 4.0 Macros (aka XLM Macros) are actively being used for some malicious activities. This document explains how to block those Excel files.

Resolution


In order to block the Excel files which contain Excel 4.0 Macros effectively, we have released the following Anti-Spyware signatures.
 
SeverityUnique Threat IDNameDefault ActionMinimum PAN-OS VersionFirst Release
Informational85935Possible Excel 4 Macro in Office File Detectionalert7.1.08288
Informational85969Possible Excel 4 Macro in Office File Detectionalert7.1.08299
Informational86506Possible Excel 4 Macro in Office File Detectionalert 8.1.08519

Please note that we have released the signatures with Default Action "alert". Hence, it's necessary to change the configuration to use the signatures to block files.

Here's the example of the Anti-Spyware Profile with Action "reset-both".
86506

For more information on how to configure Anti-Spyware exceptions, please visit this article:
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats


The signatures may be updated in the future. To see the latest status of the signatures, please visit our Threat Vault.
https://threatvault.paloaltonetworks.com/?query=85935&type=
https://threatvault.paloaltonetworks.com/?query=85969&type=
https://threatvault.paloaltonetworks.com/?query=86506&type=

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V3VCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language