Forum Discussion

Alagumuthu's avatar
Alagumuthu
Copper Contributor
Jan 03, 2024

eicar file not detected not detected automatically in Azure VM

Hi ,   We have VM in Azure portal and we used perform the file scan using MSdefender command. Either MSdefender command nor MSDefender endpoint in VM detected the eicar test file.   Please let us...
Alagumuthu's avatar
Alagumuthu
Copper Contributor
Jan 10, 2024

LeonPavesic 

 

Thanks for your reply, really appreciate. We have noticed a different behavior with the below testing, and it is ruling out understanding of policy change. 

Case1:

I have created a text file manually and copied the EICAR test file virus content and saved the file. MS defender identified the threat.
Case2:
Earlier reported issue is for the file ""eicar_word_macro_cmd_echo.doc" file format. This file was not identified the threat by MS Defender hence we raised an help in the forum.
Today i have opened the file in the server and "Enable Macro content" message pop up and i run the macro. Now MS Defender identified the threat. By default, "Disable all Macro" setting enabled for the word file in our server. 
This conclude that MS Defender unable to identify the threat until the Macro executes. Correct us if i am wrong.
Why MS Defender unable to identify the threat in Macro file? Any settings needed to be enabled for MS Defender to identify when threat in Macro.

Regards,

Alagumuthu

LeonPavesic's avatar
LeonPavesic
Silver Contributor
Jan 10, 2024

Hi Alagumuthu,

you are correct, similar to many antivirus solutions, Microsoft Defender may not detect a threat within a macro until the macro is executed.
This is due to macros often containing legitimate code, and it's the actions performed during execution that may turn out to be malicious.

In the scenario you described with the EICAR test file virus content, Microsoft Defender did not initially detect it in the Word document because the macro was disabled. Once the macro was enabled and executed, Microsoft Defender successfully identified the threat.

To increase security, Microsoft has a default setting blocking macros from running in Office applications for files downloaded from the internet. Users receive a warning message when attempting to open such files, and they have the option to enable macros if necessary. However, users should be cautious about the security implications of enabling macros.

For better macro threat detection, you may need to adjust your Microsoft Defender settings or consider additional security measures. Microsoft Defender for Office 365, for instance, provides enhanced security against potentially harmful macros.

Protect yourself from macro viruses - Microsoft Support
Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

  • Alagumuthu's avatar
    Alagumuthu
    Copper Contributor
    Jan 12, 2024
    Hi Leon Pavesiz,

    Thanks for your update, can you help us with the link, what settings has to be changed in MS defender in order to detect Macro or cmd based Virus file to detect.

    Regards,
    Alagumuthu
    • LeonPavesic's avatar
      LeonPavesic
      Silver Contributor
      Jan 12, 2024

      Hi Alagumuthu,

      thanks for the update.

      regarding your question, here are some helpful resources:

      1. Protect yourself from macro viruses - Microsoft Support: This page explains how Microsoft 365 handles active content like macros and mentions that Microsoft Defender Antivirus should detect and block known macro viruses.
        Protect yourself from macro viruses - Microsoft Support

      2. Configure scanning options for Microsoft Defender Antivirus: This resource provides information on configuring scanning options for Microsoft Defender Antivirus.
        Configure scanning options for Microsoft Defender Antivirus | Microsoft Learn

      3. Configure exclusions for files opened by specific processes: Learn how to configure exclusions for files opened by specific processes to tailor Microsoft Defender's behavior.
        Configure exclusions for files opened by specific processes | Microsoft Learn


      Please click Mark as Best Response & Like if my post helped you to solve your issue.
      This will help others to find the correct solution easily. It also closes the item.


      If the post was useful in other ways, please consider giving it Like.


      Kindest regards,


      Leon Pavesic
      (LinkedIn)

      • Alagumuthu's avatar
        Alagumuthu
        Copper Contributor
        Jan 16, 2024
        Hi,

        Thanks a lot for reply. Sorry again to disturb you. Our client test with below malicious file but again MS defender didn't finds the threat.
        https://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/
        My understanding is below tested file also same as Macro file and Enabling setting for Macro should enable the detection for the below file.
        The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder. This is same as Macro code execution and the finding we provided from MicroSoft website applicable for the same files.
        Regards,
        Alagumuthu

Resources