This dialog appears if the antivirus software on your machine notifies the Office application (such as Word, Excel, or PowerPoint) that Visual Basic for Applications (VBA) or Excel 4.0 (XLM) macros in a file have done something the antivirus software thinks is malicious.

Note: Excel 4.0 (XLM) macros are macros created in an old macro language and they only run in Excel. Although Excel for Microsoft 365 still runs XLM macros, we encourage you to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA).

Macros automate frequently used tasks to save time on keystrokes and mouse actions. If you do the same action over and over again you can record those steps as a macro so that the macro can do those steps for you, saving you time.

Many were created by using Visual Basic for Applications (VBA) and are written by software developers. However, some macros can pose a potential security risk. Macros are often used by people with malicious intent to quietly install malware, such as a virus, on your computer or into your organization's network.

AMSI integration with Office

The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications running on the system to pass information about the behavior of scripts or macros running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office runs the code.

If the antivirus software finds that macros are performing malicious actions, Office will tell you and then terminate the Office process without running the malicious instructions.

If you see this dialog...

  1. It is likely that an open file was attempting to execute code that matched patterns of behavior that your antivirus software deemed malicious.

  2. If you feel an Office file is being improperly reported as malicious, you can move the file into a location that is part of the Trusted Locations feature in Office, add the current location of the file to Trusted Locations, or have the VBA macros in the document digitally code signed

    Note: Excel 4.0 (XLM) macros can't be signed.

  3. If the file is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all files regardless of trust. You can use Group Policy to configure when AMSI scanning is enabled (See below).

Settings for the Malware Runtime Scan Feature

By default, Office will enable Malware Runtime Scanning for VBA or XLM macros running in Office files.

There are two exceptions:

This behavior can be controlled by the Group Policy setting Macro Runtime Scan Scope.

If your device is managed by your organization, you'll have to contact your IT administrator to make changes to this setting.  

See Also

Protect against threats in Microsoft 365

How malware can infect your PC

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Office Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×