This dialog appears if the antivirus software on your machine notifies the Office application that Visual Basic for Applications (VBA) or Excel 4.0 (XLM) macros in a file have taken actions that the antivirus software determines are malicious.
Note: Excel 4.0 (XLM) macros are macros created in an old macro language and they only run in Excel. Although Excel for Microsoft 365 still runs XLM macros, we encourage you to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA).
AMSI integration with Office
The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications running on the system to pass information about the behavior of scripts or macros running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office runs the code.
If the antivirus software indicates that macros are performing malicious actions, Office will display this and then terminate the Office process without running the malicious instructions.
If you see this dialog...
It is likely that an open file was attempting to execute code that matched patterns of behavior that your antivirus software deemed malicious.
If you feel an Office file is being improperly reported as malicious, you can move the file into a location that is part of the Trusted Locations feature in Office, add the current location of the file to Trusted Locations, or have the VBA macros in the document digitally code signed.
Note: XLM macros can't be signed.
If the file is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all files regardless of trust. You can use Group Policy to configure when AMSI scanning is enabled (See below).
Settings for the Malware Runtime Scan Feature
By default, Office will enable Malware Runtime Scanning for VBA or XLM macros running in Office files.
There are two exceptions:
The file is opened from one of the Trusted Locations registered with the Office application. For more information see: Add, remove, or change a trusted location.
The file has VBA macros that are digitally code signed by a trusted signature provider. For more information see: Digitally sign your macro project.
This behavior can be controlled by the Group Policy setting Macro Runtime Scan Scope.
If you're in an enterprise environment, you will have to contact your IT administrator to make changes to this setting.