This dialog appears if the antivirus software on your machine notifies the Office application (such as Word, Excel, or PowerPoint) that Visual Basic for Applications (VBA) or Excel 4.0 (XLM) macros in a file have done something the antivirus software thinks is malicious.
Note: Excel 4.0 (XLM) macros are macros created in an old macro language and they only run in Excel. Although Excel for Microsoft 365 still runs XLM macros, we encourage you to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA).
Macros automate frequently used tasks to save time on keystrokes and mouse actions. If you do the same action over and over again you can record those steps as a macro so that the macro can do those steps for you, saving you time.
Many were created by using Visual Basic for Applications (VBA) and are written by software developers. However, some macros can pose a potential security risk. Macros are often used by people with malicious intent to quietly install malware, such as a virus, on your computer or into your organization's network.
How did this happen?
The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications (Like Word or PowerPoint) running on the system to pass information about the behavior of scripts or macros running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office runs the code.
If the antivirus software finds that macros are performing malicious actions, Office will tell you and then terminate the Office process without running the malicious instructions.
If you see this dialog...
It is likely that an open file was attempting to do something that your antivirus software thought was malicious.
If you feel an Office file is being improperly reported as malicious, you can move the file into a location that is part of the Trusted Locations feature in Office, add the current location of the file to Trusted Locations, or have the VBA macros in the document digitally code signed.
Note: Excel 4.0 (XLM) macros can't be signed.
If the file is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all files regardless of trust. You can use Group Policy to configure when AMSI scanning is enabled (See below).
Settings for the Malware Runtime Scan Feature
By default, Office will enable Malware Runtime Scanning for VBA or XLM macros running in Office files.
There are two exceptions:
The file is opened from one of the Trusted Locations registered with the Office application. For more information see: Add, remove, or change a trusted location.
The file has VBA macros that are digitally code signed by a trusted signature provider. For more information see: Digitally sign your macro project.
This behavior can be controlled by the Group Policy setting Macro Runtime Scan Scope.
If your device is managed by your organization, you'll have to contact your IT administrator to make changes to this setting.
Protect against threats in Microsoft 365