Forum Discussion

Koen Van de Loock's avatar
Koen Van de Loock
Brass Contributor
Feb 04, 2022

ASR Rule - Block Win32 API Calls from Office Macro

What does this ASR rule really do ?
This question because we see that not only Win32 API Calls are blocked but also x64.
During tests, we used an Excel 64-bit with VBA-code.

First test was VBA-code written in 32-bit.
As example: 
Private Declare Function GetTimeZoneInformation Lib "kernel32" ( _
lpTimeZoneInformation As TIME_ZONE_INFORMATION) As Long

2nd test was same VBA-code but written in 64-bit.
As example:
Private Declare PtrSafe Function GetTimeZoneInformation Lib "Kernel32" ( _
lpTimeZoneInformation As TIME_ZONE_INFORMATION) As LongPtr

 

Both are given the same result.
We can't open the excel.
It is given the message 'Excel cannot access file.xlsm. The document may be read-only or encrypted.'

If we change the ASR rule from Blocked to Not Configured. XLSM is perfectly going open.

  • nacho_ar's avatar
    nacho_ar
    Copper Contributor

    'Win32 API Calls' actually refers to just Windows API calls, no matter if 32 or 64 bits.

    This ASR rule blocks some API calls, MS does not tell which.

    We were able to identify macros calling APIs by looking for code like 'Declare*Function * lib ' and treat them as potencially being blocked in the future.

    Putting the macros in a trusted folder or digitally signing them allows Excel to open the files, but any work done can't be saved as it triggers the rule again, even if the VBA code was not modified. (Apparently the temp file created by excel during save is blocked by the rule)

  • nbaker_2111's avatar
    nbaker_2111
    Copper Contributor

    Koen Van de Loock We're encountering this same issue well.
    I've had to turn the rule off because I figure out what i needed to exclude to get it working again correctly. 

    Have you had any luck with this? 

Resources