M365 Changelog: Antimalware Scan Interface (AMSI) to include runtime inspection of Excel 4.0 macros (XLM)

MC231204 – Antimalware Scan Interface (AMSI) integration with Office is expanding to include runtime inspection of Excel 4.0 (XLM) macros, an addition to existing support for Visual Basic for Applications (VBA). The existing default behavior for runtime inspection of VBA macros will also apply to XLM macros, providing an additional layer of security for users with Excel for Desktop on Windows.

Key points

  • Timing: Monthly Enterprise Channel, February 2021
  • Roll-out:  tenant level
  • Control type: admin control 
  • Action: review and assess by January 31, 2021

How this will affect your organization

AMSI is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution.

When AMSI detects malicious activity, Excel first notifies the user and then terminates the application session. This intervention can stop an attack in its tracks.

In its default configuration, AMSI scans macros at runtime except in these scenarios:

When this feature is enabled, affected macro runtime performance may be affected.

What you need to do to prepare

AMSI integration is on by default in the Monthly Enterprise Channel for Excel and other Office 365 client applications.

The group policy setting Macro Runtime Scan Scope specifies which documents the VBA and XLM Runtime Scan will inspect.

  • Configure the Macro Runtime Scan Scope policy by January 31, 2021 if you wish to deviate from the default settings.
  • If you choose to change the settings or disable, that policy setting will affect both VBA and XLM macros.

Learn more