Leave a comment

Block Office Macros on removable storage devices (including mobile)

blog22_0September 06, 2016 – secRMM has added another security rule which does not really fall into the Data Loss Prevention (DLP) category but more in the antimalware category.  The new rule is named “BlockOfficeMacrosOnDevice”.  As the name implies, secRMM will block opening any Microsoft Office document residing on a removable storage device that has a macro(s) embedded within it.

You can also view a YouTube video on this subject

Microsoft has been doing a great job of securing the Office suite, especially with Office 2016 (see MS Blog: New feature in Office 2016 can block macros and help prevent infection).  As you can see, they have a “Group Policy” that you can apply to your domain(s).  Microsoft has a Malware Protection Center where you can get more information about Office Macros at:
https://www.microsoft.com/en-us/security/portal/threat/macromalware.aspx.

What has still not been addressed (until now) is the handling of removable/plug-and-play storage devices.  We are talking about thumb drives, USB connected mobile devices, SD-Cards, external hard drives, CD/DVD, etc.  This is what the secRMM “BlockOfficeMacrosOnDevice” addresses.  You can apply this setting in multiple ways:

Active Directory Group Policy and/or
Microsoft System Center Configuration Manager (SCCM) and/or
On the individual computer by using the “Computer Management” MMC and/or
Script (Powershell, VBScript, JScript, CMD, etc.) – Yes, secRMM is 100% scriptable

Another good thing about the secRMM “BlockOfficeMacrosOnDevice” feature is that it supports Office 2016, 2013, 2010, 2007 and 2003.  It probably supports even older versions but we could not find an older version than 2003 to install and test with!

If you are concerned about Macro-based malware, now you can have this additional help by using secRMM.

The screenshots below will show you what we discussed above.

In the first 2 screenshots, we are just turning on the rule (we used the “Computer Management” MMC).  It is just a checkbox, on or off.  You must be an Administrator on the computer to be able to access the secRMM rules.

blog22_1

blog22_1a

The next 3 screen shots show you what the end-user will experience when they go to open an Office document with a macro(s) embedded within it.  The first 2 screen shots are from explorer.  The third screen shot is if they try to use a command window.  Note that this blocking functionality will also apply if they first open the Office program and then do a File->Open operation from within the Office program.
blog22_1bblog22_2blog22_3

Now, as the IT and/or security Administrator, you will also be able to see in the event log that this condition has occurred (i.e. an end-user tried to open an Office document on a removable storage device and the Office document had a macro(s) embedded within it).

The screen shot below has a lot of information contained within it.  First, it tells you that a “BLOCK MACROS ON DEVICE ACTIVE” event occurred (in the secRMM event log, that is event id 514).  It tells you the user who tried to open the Office document (in the screen shot, this is CONTOSO\Angela).  Next, it tells you about the removable storage device.  Next, it tells you the program that tried to open the Office document.  In this case, it is Winword.exe.  The last line is kind of long but it is really the most detailed so we break it down below the screen shot.
blog22_4

Command Line: “C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “E:\Programs\OfficeMacros\2003\Word1Macro_2003.doc” /o “”,
Current Directory: E:\Programs\OfficeMacros\2003,
Office Macro(s): ThisDocument(Document:3), Module1(Code:14)

The text above logs what the “command line” looked like when Windows tried to open the Office document.  It also logs the “current directory”.  Lastly, it lists the macro information contained inside the Office document.  In the above event, we can see that inside this Word document, the “ThisDocument” VBA object has a macro of type “Document” and there are 3 lines of executable code.  There is also an object named Module1 which has a macro of type “Code” and there are 14 lines of code.

Below is a screen shot of the Word document used in our example with the Visual Basic Editor open so you can see why secRMM listed what it did.

blog22_5

If you get a secRMM event and the Additional Info line contains:
Description=Programmatic access to Visual Basic Project is not trusted.
this means that the Office program does not trust macros so secRMM could not parse the file for macros.  What?!!!  Right, it sounds crazy but secRMM is not doing anything out of the ordinary to obtain the information about the macros.  This message means there ARE macros but secRMM is not allowed to look at them.

We hope you found this information useful.
You can try secRMM for 30 days (fully functional).
Please visit the Squadra Technologies web site to download secRMM.
Thanks for reading!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: