Malicious macros were found

This dialog appears if the antivirus software on your machine notifies the Office application that Visual Basic for Applications (VBA) or Excel 4.0 (XLM) macros in a file have taken actions that the antivirus software determines are malicious.

Note: Excel 4.0 (XLM) macros are macros created in an old macro language and they only run in Excel. Although Excel for Microsoft 365 still runs XLM macros, we encourage you to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA).

AMSI integration with Office

The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications running on the system to pass information about the behavior of scripts or macros running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office runs the code.

If the antivirus software indicates that macros are performing malicious actions, Office will display this and then terminate the Office process without running the malicious instructions.

If you see this dialog...

  1. It is likely that an open file was attempting to execute code that matched patterns of behavior that your antivirus software deemed malicious.

  2. If you feel an Office file is being improperly reported as malicious, you can move the file into a location that is part of the Trusted Locations feature in Office, add the current location of the file to Trusted Locations, or have the VBA macros in the document digitally code signed

    Note: XLM macros can't be signed.

  3. If the file is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all files regardless of trust. You can use Group Policy to configure when AMSI scanning is enabled (See below).

Settings for the Malware Runtime Scan Feature

By default, Office will enable Malware Runtime Scanning for VBA or XLM macros running in Office files.

There are two exceptions:

This behavior can be controlled by the Group Policy setting Macro Runtime Scan Scope.

If you're in an enterprise environment, you will have to contact your IT administrator to make changes to this setting.  

See Also

Protect against threats in Microsoft 365

How malware can infect your PC

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!