Forum Discussion
Reporting when macro-enabled documents are opened
Hi there, We need to log/report when any macro-enabled document in our environment is opened (whether it be located on a file server, Nutanix Files, eDocs or OneDrive). We hoped that the Microso...
- Hi Alex,
We're looking for a solution that'll alert us when a macro-enabled document is run (detailing the user, hostname, filename and location), although the alert doesn't need to be instantaneous. We use Splunk to collect data every day from the event logs of every Windows machine within the environment, so if an event is logged when a macro is run, we would pick that up.
Cheers,
PaulHi Paul,
the next question is: why do you want to collect the data? Do you want to find out about every macro in your company or do you want to find out about the usage of the macros?
If you would like to find out about all macros, then digital signatures plus a signing portal would be the way to go. This would also increase the security.
My company developed an eco system of different tools to deal with VBA macros. You can analyze and sign them and gather information about every macro.
The other way would be to utilize the IOfficeAntivirus or the AMSI interface to get the information you want. IOfficeAntivirus is quite old and is called by Windows Defender or - with some registry settings -by most of the Office applications when a File ist opened. There you could check if there is a macro in the file. AMSI is newer and I really do not know if Office also calls this interface when a file ist opened.
Both depend on the old COM technology, so I do not know if this also runs in the Mac world. But if you just have Windows machines, this would be the way I would go.
Cheers
Alex
