问题
I just ran into an even more annoying problem. Suddenly windows defender started to flag one of my excel files containing VBA macro code(on download from a browser) as being a virus. The specific virus being logged is:
Trojan:O97M/Foretype.A!ml
Googling it reveals the following information:
O97M.Downloader is a generic detection for Microsoft Office macros that download other threats. They are usually contained in other Microsoft Office documents and may arrive on the compromised computer through attachments or after being downloaded from a website.
Great, so once windows defender detects it, it basically shreds the file, and when you attempt to open it, excel claims the file has "been corrupted". I would love to post my VBA file to http://www.virustotal.com however it contains tons of propriety VBA code that cannot be shared with the wider community. I wonder if there's a website that accomplishes the same thing with a different terms and conditions?
This has only started recently and has only affected a few users/clients. I'm not sure the distribution of clients who have this installed and what versions of windows defender they are running. I'm worried the impact of this will increase until a large number of our clients are affected. Even more troubling, often clients can download one version without issue, but when they download the file(identical VBA code) from a different source they encounter the issue, could the download source affect the files likelihood of being flagged?
Main Question
What causes a excel VBA file to be flagged as a "O97M" virus and how do I prevent it from being flagged?
Related Concerns
Should I sign my VBA Macro's, would that affect the virus detection likelihood?
Are they're other common practices that I could change that would affect the likelihood of false positives?
What is a "Trojan:O97M/Foretype.A!ml" exactly? The window page contains so little information it might as well not exists, Symantec is also pretty unhelpful, (maybe I'm massively uninformed here) is there a centralized repository for virus detection? I would imagine that people may not want to share that and it my differ by product, but I'd be interested in any information pertaining to this...
External Libraries
I'm also using the following external code:
https://gist.github.com/brucemcpherson/3414365/
https://www.thespreadsheetguru.com/the-code-vault/2014/4/23/loop-through-all-excel-files-in-a-given-folder
How to use VBA SaveAs without closing calling workbook?
I'm also using the following window functions:
Public Declare PtrSafe Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPtr
Public Declare PtrSafe Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long) As LongPtr
Public Declare PtrSafe Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long, ByVal dwNewLong As LongPtr) As LongPtr
Public Declare PtrSafe Function GetWindowRect Lib "user32" (ByVal hWnd As LongPtr, lpRect As RECT) As LongPtr
Public Declare PtrSafe Function SetWindowPos Lib "user32" (ByVal hWnd As LongPtr, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPtr
Public Declare PtrSafe Function SetParent Lib "user32.dll" (ByVal hWndChild As LongPtr, ByVal hWndNewParent As LongPtr) As LongPtr
Public Declare PtrSafe Function SetForegroundWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDeviceCaps Lib "gdi32.dll" (ByVal hdc As LongPtr, ByVal nIndex As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32.dll" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function ReleaseDC Lib "user32.dll" (ByVal hWnd As LongPtr, ByVal hdc As LongPtr) As LongPtr
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function SetLastError Lib "kernel32.dll" (ByVal dwErrCode As Long) As Long
Public Declare PtrSafe Function GetActiveWindow Lib "user32.dll" () As Long
Public Declare PtrSafe Function DrawMenuBar Lib "user32" (ByVal hWnd As LongPtr) As Long
回答1:
We reached out to Microsoft and they replied with the following message (Not copy-able in text for some reason):
So I guess this was the JSON VBA logic, and I guess it was resolved(I haven't seen this reoccur), though it's really hard to say.
回答2:
Started to get the same problem with one of mine xlsm-files as well a couple of days ago (2018-10-29). I've made the file from scratch so I know that it don't contain any virus.
Don't know if Windows Defender reacts on one of the following things:
- File is stored on my OneDrive
- It contains code for downloading from the web (json-data and images)
Only thing that I haven't made on my own is this code that I'm using: https://github.com/VBA-tools/VBA-JSON/blob/master/JsonConverter.bas
My guess is that Windows Defender reacts on the JsonConverter-code, the "Trojan:O97M/Foretype.A!ml" might be using a similar code.
回答3:
I have over the past few years experienced this issue on several other files with a similar set of conditions, the following methods help me resolve these issues:
Eliminate and Contact Vendors - Remove all sections of the offending file other than the VBA code, then systematically eliminate ALL code other than the code from the file until you have identified the specific section of code that is cause the anti-virus to flag your file. (Typically this section of code is very small) You can safely upload this logic to VirusTotal without sharing a large percentage of you files IP. This will then allow you to identify which vendor is incorrectly flagging your file. Reach out to them with the "minimized" version of your file, ask them to remove it from there database(typically takes a few days but they will do it).
Code Signing Certificates - I have had luck with some anti-virus vendors by digitally signing my files using a code signing SSL certificate. I know others haven't had any luck with that approach, my opinion is that it will differ by vendor, some respect it, others will not.
Obfuscation - My file was offered as a download on my website, because each user was clicking "download" before opening the file, I had a opportunity to modify each file being downloaded before the user opened the file. If your not electing for option 2, there is a lower quality option, that is, you have implement a simple version of obfuscation on top of each file that is downloaded, generating a "different" version of the file for each user that downloads it. It's a bit of a arms race, but I've had success with this method. The biggest advantage is that when your new file is flagged, there only flagging the obfuscated file, not the original file used to obfuscate, in many cases they won't pick up on a section of VBA that's covered in the original, i.e. only the file that was flagged will be detected, all other users are not affected.
Working Around the Problem - You can always go around the problem, where possible you can use different methods of storing your VBA, such as this sort of thing. I heavily abstract my methods into Async web calls, sheltering my business logic from the VBA code. Long term solution is to get around the issue by using VSTO and exiting the VBA environment permanently, thought there are certainly drawbacks to this approach.
来源:https://stackoverflow.com/questions/53213215/antivirus-false-positive-in-my-vba-excel-macro