Malicious macros were found

This dialog appears if the antivirus software on your machine notifies the Office application that Visual Basic for Applications (VBA) macros in a document have taken actions that the antivirus software determines are malicious.

AMSI Integration With Office

The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications running on the system to pass information about the behavior of scripts running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office executes the macro code.

If the antivirus software indicates that macros are performing malicious actions, Office will display this dialog to the user, and then terminate the Office process without executing the malicious instruction to ensure the user remains safe.

If you see this dialog...

  1. It is likely that an open file was attempting to execute code that matched patterns of behavior that your antivirus software deemed malicious.

  2. If you feel an Office file is being improperly reported as malicious, you can move the file into a location that is part of the Trusted Locations feature in Office, add the current location of the file to Trusted Locations, or have the VBA macros in the document digitally code signed.  For more information see: Add, remove, or change a trusted location.

  3. If the document is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all documents regardless of trust. You can configure AMSI to Scan with exclusions in Group Policy. See below for information about using Group Policy to manage this feature.

Settings for the Malware Runtime Scan Feature

By default, Office will enable Malware Runtime Scanning for VBA macros running in documents.

The exception is for documents that have full trust via one of the following methods:

This behavior can be controlled by Group Policy. In the Group Policy Editor go to the Microsoft Office 2016 template and under Security Settings you should find Scan VBA macros at runtime.  

If you are in an enterprise environment, you will have to contact your Administrator to make changes to this setting.  

See Also

Protect against threats in Microsoft 365

How malware can infect your PC

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.