8

I just ran into an even more annoying problem. Suddenly windows defender started to flag one of my excel files containing VBA macro code(on download from a browser) as being a virus. The specific virus being logged is:

Trojan:O97M/Foretype.A!ml

Googling it reveals the following information:

O97M.Downloader is a generic detection for Microsoft Office macros that download other threats. They are usually contained in other Microsoft Office documents and may arrive on the compromised computer through attachments or after being downloaded from a website.

Great, so once windows defender detects it, it basically shreds the file, and when you attempt to open it, excel claims the file has "been corrupted". I would love to post my VBA file to http://www.virustotal.com however it contains tons of propriety VBA code that cannot be shared with the wider community. I wonder if there's a website that accomplishes the same thing with a different terms and conditions?

This has only started recently and has only affected a few users/clients. I'm not sure the distribution of clients who have this installed and what versions of windows defender they are running. I'm worried the impact of this will increase until a large number of our clients are affected. Even more troubling, often clients can download one version without issue, but when they download the file(identical VBA code) from a different source they encounter the issue, could the download source affect the files likelihood of being flagged?

Main Question

What causes a excel VBA file to be flagged as a "O97M" virus and how do I prevent it from being flagged?

Related Concerns

Should I sign my VBA Macro's, would that affect the virus detection likelihood?

Are they're other common practices that I could change that would affect the likelihood of false positives?

What is a "Trojan:O97M/Foretype.A!ml" exactly? The window page contains so little information it might as well not exists, Symantec is also pretty unhelpful, (maybe I'm massively uninformed here) is there a centralized repository for virus detection? I would imagine that people may not want to share that and it my differ by product, but I'd be interested in any information pertaining to this...

External Libraries

I'm also using the following external code:

https://gist.github.com/brucemcpherson/3414365/

https://www.thespreadsheetguru.com/the-code-vault/2014/4/23/loop-through-all-excel-files-in-a-given-folder

How to use VBA SaveAs without closing calling workbook?

I'm also using the following window functions:

Public Declare PtrSafe Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPtr
Public Declare PtrSafe Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long) As LongPtr
Public Declare PtrSafe Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long, ByVal dwNewLong As LongPtr) As LongPtr
Public Declare PtrSafe Function GetWindowRect Lib "user32" (ByVal hWnd As LongPtr, lpRect As RECT) As LongPtr
Public Declare PtrSafe Function SetWindowPos Lib "user32" (ByVal hWnd As LongPtr, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPtr
Public Declare PtrSafe Function SetParent Lib "user32.dll" (ByVal hWndChild As LongPtr, ByVal hWndNewParent As LongPtr) As LongPtr
Public Declare PtrSafe Function SetForegroundWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDeviceCaps Lib "gdi32.dll" (ByVal hdc As LongPtr, ByVal nIndex As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32.dll" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function ReleaseDC Lib "user32.dll" (ByVal hWnd As LongPtr, ByVal hdc As LongPtr) As LongPtr
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function SetLastError Lib "kernel32.dll" (ByVal dwErrCode As Long) As Long
Public Declare PtrSafe Function GetActiveWindow Lib "user32.dll" () As Long
Public Declare PtrSafe Function DrawMenuBar Lib "user32" (ByVal hWnd As LongPtr) As Long
0m3r
  • 12,286
  • 15
  • 35
  • 71
David Rogers
  • 2,601
  • 4
  • 39
  • 84
  • 1
    I'm not sure what anyone here can suggest as being a trigger without seeing the code. You *could* report it to MS as a false positive, but they'll probably ask for your code too. AV companies aren't forthcoming about their heuristics for ***very*** good reason. – Comintern Nov 08 '18 at 17:36
  • Did you happen to implement something [like this](https://stackoverflow.com/q/51030992/4088852)? – Comintern Nov 08 '18 at 17:40
  • While it won't "solve" the problem, have you considered emailing "MyWorksheet.xlsm.TXT" to your clients with explicit instructions to remove the ".TXT" from the end? That should bypass the scan on download since A) it's not from the web, and B) it's not an ".XLSM" file (at least, not until it's renamed). – FreeMan Nov 08 '18 at 18:05
  • @Comintern Yeah it's a big file and while I don't think it would be good to share all of it I definitely can share bits. Hmm yes I'll contact the almighty MS on this one and share it with them. It's understandable why the details are hidden, but difficult then to diagnose false positives :( – David Rogers Nov 08 '18 at 19:42
  • @Comintern (Automate Compile)I wish, unfortunately no I have not figured that one out yet... The file is basically some logic to interface with a IE window and some pivot table and table logic to do various things it excel, it's actually pretty innocent, I don't read/write any external files, and all the windows libraries I reference related to win forms behavior, not sensitive system calls(at least not that I'm aware of). Maybe I can include that with my question... – David Rogers Nov 08 '18 at 19:44
  • @FreeMan I hope I don't have to resort to that, right now they just click a link and download the file, I could do that, but there are 100/1000's of users, that would be quite difficult to implement without allot of pain(I would imagine). – David Rogers Nov 08 '18 at 19:46
  • I've also submitted this to "Windows Defender Security Intelligence" including all the proprietary code. Hopefully they have a good answer... – David Rogers Nov 12 '18 at 16:51
  • I'm facing the same issue and am even more confused because according to the Availability section in the Microsoft article below, the AMSI shouldn't scan the file because (a) it's signed with a legitimate root autority code-signing certificate which is marked as a trusted publisher and (b) it's marked as a trusted document in a trusted location. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ – Jamie Garroch - MVP Oct 23 '19 at 15:30

6 Answers6

3

We reached out to Microsoft and they replied with the following message (Not copy-able in text for some reason):

enter image description here

So I guess this was the JSON VBA logic, and I guess it was resolved(I haven't seen this reoccur), though it's really hard to say.

David Rogers
  • 2,601
  • 4
  • 39
  • 84
1

Started to get the same problem with one of mine xlsm-files as well a couple of days ago (2018-10-29). I've made the file from scratch so I know that it don't contain any virus.

Don't know if Windows Defender reacts on one of the following things:

  1. File is stored on my OneDrive
  2. It contains code for downloading from the web (json-data and images)

Only thing that I haven't made on my own is this code that I'm using: https://github.com/VBA-tools/VBA-JSON/blob/master/JsonConverter.bas

My guess is that Windows Defender reacts on the JsonConverter-code, the "Trojan:O97M/Foretype.A!ml" might be using a similar code.

Anders A
  • 43
  • 4
  • 1
    Yes I concur, I'm not using that library, but I am using a similar bit of code [here](https://gist.github.com/brucemcpherson/3414365/)(similar JSON type logic), I wonder if it's triggering on that... – David Rogers Nov 11 '18 at 23:26
0

I have over the past few years experienced this issue on several other files with a similar set of conditions, the following methods help me resolve these issues:

  1. Eliminate and Contact Vendors - Remove all sections of the offending file other than the VBA code, then systematically eliminate ALL code other than the code from the file until you have identified the specific section of code that is cause the anti-virus to flag your file. (Typically this section of code is very small) You can safely upload this logic to VirusTotal without sharing a large percentage of you files IP. This will then allow you to identify which vendor is incorrectly flagging your file. Reach out to them with the "minimized" version of your file, ask them to remove it from there database(typically takes a few days but they will do it).

  2. Code Signing Certificates - I have had luck with some anti-virus vendors by digitally signing my files using a code signing SSL certificate. I know others haven't had any luck with that approach, my opinion is that it will differ by vendor, some respect it, others will not.

  3. Obfuscation - My file was offered as a download on my website, because each user was clicking "download" before opening the file, I had a opportunity to modify each file being downloaded before the user opened the file. If your not electing for option 2, there is a lower quality option, that is, you have implement a simple version of obfuscation on top of each file that is downloaded, generating a "different" version of the file for each user that downloads it. It's a bit of a arms race, but I've had success with this method. The biggest advantage is that when your new file is flagged, there only flagging the obfuscated file, not the original file used to obfuscate, in many cases they won't pick up on a section of VBA that's covered in the original, i.e. only the file that was flagged will be detected, all other users are not affected.

  4. Working Around the Problem - You can always go around the problem, where possible you can use different methods of storing your VBA, such as this sort of thing. I heavily abstract my methods into Async web calls, sheltering my business logic from the VBA code. Long term solution is to get around the issue by using VSTO and exiting the VBA environment permanently, thought there are certainly drawbacks to this approach.

David Rogers
  • 2,601
  • 4
  • 39
  • 84
0

While attempting to edit VBA code in an old XLSM excel document I received the error file not found on open. When I continued to open I found that all 5 of my VBA modules had been stripped. Research found that Bitdefender had reported Trojan.Valyrian.3644. I also found that Bitdefender had stripped all of the backup files and versions of the same file. When I attempted to have the file emailed back to me BD stripped the entire email citing the same Trojan.

I was able to get a notepad list of the modules. I copied each of the 5 back into a new modules one at a time and found that only 1 caused the problem. I then recovered that module line by line until BD was not happy again. The problem was a singe DIM statement with several variables separated by commas (DIM X,Y,Z, etc,etc,etc). Splitting that DIM statement into 3 lines resolved the problem.

What I don’t understand is why that same Excel file had been used since 2013 with no issues. The problem only came up in January 2021 when I attempted to open it for editing. Turns out the final user in another location also had trouble with the file this year. Everyone using the file has Office 365 now although the VBA code was developed using excel 2013.

John Conde
  • 217,595
  • 99
  • 455
  • 496
Dennis shanks
  • 1
0

searching for hints how to control the Windows Defender, I hit on this page. The Windows Defender has become fond of deleting addins on my machine for a false positive: Trojan:O97M/Sadoca.C!ml recently. Some of these files are one year old or older and they are signed with my official code signing certificates. They are .ppam and .xlam. Some of which are obfuscated, other are plain text VBA code.

Before loosing all work, I turned off the Windows Defender. The Windows Defender keeps adding the files to quarantine in random time intervals und it does not list these actions in the Protection History for me to allow these "threats". So it seems the Windows Defender is broken for now. It's a nightmare and no easy remedy process. I wouldn't mind sending a signed and obfuscated file to Microsoft. Still searching for a contact. Maybe here is such information: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives?view=o365-worldwide. Will check tomorrow.

Not really funny, these addins are running on numerous machines in companies all day long. Would be a desaster/stop entire production lines if Windows Defender start to quarantine the addins there. - I am sweating! - There's got to be a better process to correct false positives; be it your own work or if Windows Defender starts to delete Windows system files signed by Microsoft itself as some folks report on other sites. We are way to dependent on IT to run the risk of malware or security software taking us out of business.

www.MSO-dlx.com
  • 1
  • 2
0

I was also having the same issue, I resolved it by saving file as xlsb.

Excel Developer
  • 1