I just ran into an even more annoying problem. Suddenly windows defender started to flag one of my excel files containing VBA macro code(on download from a browser) as being a virus. The specific virus being logged is:
Googling it reveals the following information:
Great, so once windows defender detects it, it basically shreds the file, and when you attempt to open it, excel claims the file has "been corrupted". I would love to post my VBA file to http://www.virustotal.com however it contains tons of propriety VBA code that cannot be shared with the wider community. I wonder if there's a website that accomplishes the same thing with a different terms and conditions?
This has only started recently and has only affected a few users/clients. I'm not sure the distribution of clients who have this installed and what versions of windows defender they are running. I'm worried the impact of this will increase until a large number of our clients are affected. Even more troubling, often clients can download one version without issue, but when they download the file(identical VBA code) from a different source they encounter the issue, could the download source affect the files likelihood of being flagged?
Main Question
What causes a excel VBA file to be flagged as a "O97M" virus and how do I prevent it from being flagged?
Related Concerns
Should I sign my VBA Macro's, would that affect the virus detection likelihood?
Are they're other common practices that I could change that would affect the likelihood of false positives?
What is a "Trojan:O97M/Foretype.A!ml" exactly? The window page contains so little information it might as well not exists, Symantec is also pretty unhelpful, (maybe I'm massively uninformed here) is there a centralized repository for virus detection? I would imagine that people may not want to share that and it my differ by product, but I'd be interested in any information pertaining to this...
External Libraries
I'm also using the following external code:
I'm also using the following window functions:
Public Declare PtrSafe Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPtr
Public Declare PtrSafe Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long) As LongPtr
Public Declare PtrSafe Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long, ByVal dwNewLong As LongPtr) As LongPtr
Public Declare PtrSafe Function GetWindowRect Lib "user32" (ByVal hWnd As LongPtr, lpRect As RECT) As LongPtr
Public Declare PtrSafe Function SetWindowPos Lib "user32" (ByVal hWnd As LongPtr, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPtr
Public Declare PtrSafe Function SetParent Lib "user32.dll" (ByVal hWndChild As LongPtr, ByVal hWndNewParent As LongPtr) As LongPtr
Public Declare PtrSafe Function SetForegroundWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDeviceCaps Lib "gdi32.dll" (ByVal hdc As LongPtr, ByVal nIndex As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32.dll" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function ReleaseDC Lib "user32.dll" (ByVal hWnd As LongPtr, ByVal hdc As LongPtr) As LongPtr
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function SetLastError Lib "kernel32.dll" (ByVal dwErrCode As Long) As Long
Public Declare PtrSafe Function GetActiveWindow Lib "user32.dll" () As Long
Public Declare PtrSafe Function DrawMenuBar Lib "user32" (ByVal hWnd As LongPtr) As Long
We reached out to Microsoft and they replied with the following message (Not copy-able in text for some reason):
So I guess this was the JSON VBA logic, and I guess it was resolved(I haven't seen this reoccur), though it's really hard to say.