Overview

The VBA Macro functionality within the CloudSOC console helps admins detect content with macros. However, not all macros are bad.

Many macros are necessary for critical business tasks. Consequently, listing every occurrence of macros can generate a lot of noise.

We are enhancing this capability by detecting only malicious macros in the near future, targeted for CloudSOC update 3.169.0, scheduled for mid-May 2024.

This new capability will leverage Symantec Enterprise Cloud’s centralized malware detection engine.

Current Behavior

You can enable “VBA Macros” detection from the CloudSOC Settings page.

For policies of type “Data Exposure via Securlets” and “Data Transfer via Gatelets”, you can configure detection of VBA Macros under the “Threat Protection” section.

VBA Macro details show up in Investigate:

New Behavior

• Going forward, (after code change targeted for CloudSOC 3.169.0 update in May) any policy that has the “Malware” option selected will automatically scan for malicious macros.
• “VBA Macros” option will be removed from the Settings page as well as the Policy Configuration page

The example below shows how Investigate will show the details when a malicious macro is detected

Call to Action

• For existing policies, if you have selected “VBA Macros” along with “Malware” and “Malicious URL”, you’ll no longer see “VBA Macros” in the “Threat Protection” section.
• Configure new policies according to the new behavior.
• If the policy has only “VBA Macro” selected, then that policy will be marked inactive.