On Tue, 6 Sep 2016 16:12:36 -0500 (CDT)
David B Funk <dbf...@engineering.uiowa.edu> wrote:
> What is 'acceptable' to you? Unless you find some magical prescient
> anti-virus that can accurately predict all possible macro viruses
> with out FPs I don't know what else can be done.
Almost all of the macro viruses I've seen have made use of one of the
following special BASIC subroutine names:
Workbook_Open
Document_Open
Auto_Open
AutoOpen
If one of those subroutines is defined, it's far more suspicious than
just a regular macro-laden document. Blocking or quarantining those
will have a pretty low (though still, alas, non-zero) FP rate. And
I'm not implying that a macro virus *has* to use one of those
routines. It's just that most do because they allow execution of code
with no user-interaction beyond opening the document.
Regards,
Dianne.
