Hello,
Is it possible to log or block if user tries to run any vba macro in office applications?
Regards.
Added tags
[edited by: Gladys at 6:13 AM (GMT -8) on 6 Dec 2023]
Hello,
Is it possible to log or block if user tries to run any vba macro in office applications?
Regards.
Thank you for reaching out to the community forum.
By default, this action is already set to block, so wherever a user tries to run a VBA macro on their devices, our Intercept X will immediately block this via lockdown exploit detection, provided that you did not add any exclusion for lockdown exploit on your threat policy for VBA Macros.
Once detection has been triggered, the user/s who runs this will be registered on the central dashboard and the device used to run.
To further explain about lockdown exploits, you may refer to this KBA. https://support.sophos.com/support/s/article/KB-000039176?language=en_US
Thank you for your response.
Was the endpoint software working properly on the device that you suspected where the VBA Macros are being run?
If yes? This might be a potential False Negative detection, and we need your help to raise this with our Labs team.
But if not? and the endpoint software on the device is not in a healthy state. Then, you need to fix the device's health status first and observe if they can still run the VBA macros without getting detected by our software.
Thank you for your response.
Was the endpoint software working properly on the device that you suspected where the VBA Macros are being run?
If yes? This might be a potential False Negative detection, and we need your help to raise this with our Labs team.
But if not? and the endpoint software on the device is not in a healthy state. Then, you need to fix the device's health status first and observe if they can still run the VBA macros without getting detected by our software.
Yes, by any chance, do you have the VBS macros script in your possession? This is one of the most important data we need, as we need you to replicate the scenario first while running process monitoring and then collect the PML logs.
Once done, collect SDU logs on the system, then attach them to the case you've created for our team to review.
Also, you can share the case ID for us to monitor its status
