excel - 我的 VBA Excel 宏中的防病毒误报

Question

我刚碰到一个even more annoying problem .突然，Windows Defender 开始将我的一个包含 VBA 宏代码(从浏览器下载)的 excel 文件标记为病毒。被记录的特定病毒是:

Trojan:O97M/Foretype.A!ml

谷歌搜索它会显示以下信息:

O97M.Downloader is a generic detection for Microsoft Office macros that download other threats. They are usually contained in other Microsoft Office documents and may arrive on the compromised computer through attachments or after being downloaded from a website.

太好了，所以一旦 Windows Defender 检测到它，它基本上会粉碎文件，当您尝试打开它时，excel 会声称文件“已损坏”。我很想将我的 VBA 文件发布到 http://www.virustotal.com但是它包含大量无法与更广泛的社区共享的专有 VBA 代码。我想知道是否有一个网站可以用不同的条款和条件完成同样的事情？

这只是最近才开始，只影响了少数用户/客户。我不确定安装了这个的客户端的分布以及他们运行的是什么版本的 Windows Defender。我担心这种影响会增加，直到我们的大量客户受到影响。更麻烦的是，客户通常可以毫无问题地下载一个版本，但是当他们从不同的来源下载文件(相同的 VBA 代码)时遇到问题，下载源会影响文件被标记的可能性吗？

主要问题

是什么导致 excel VBA 文件被标记为“O97M”病毒，如何防止它被标记？

相关问题

应该 I sign my VBA Macro's ，这会影响病毒检测的可能性吗？

它们是我可以改变的其他常见做法，会影响误报的可能性吗？

究竟什么是“Trojan:O97M/Foretype.A!ml”？窗口页面包含的信息太少，它可能不存在，赛门铁克也非常无助，(也许我在这里非常不了解)是否有用于病毒检测的集中存储库？我想人们可能不想分享它，而且我的产品因产品而异，但我会对与此相关的任何信息感兴趣......

外部库

我还使用以下外部代码:

https://gist.github.com/brucemcpherson/3414365/

https://www.thespreadsheetguru.com/the-code-vault/2014/4/23/loop-through-all-excel-files-in-a-given-folder

How to use VBA SaveAs without closing calling workbook?

我还使用以下窗口函数:

Public Declare PtrSafe Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPtr
Public Declare PtrSafe Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long) As LongPtr
Public Declare PtrSafe Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As LongPtr, ByVal nIndex As Long, ByVal dwNewLong As LongPtr) As LongPtr
Public Declare PtrSafe Function GetWindowRect Lib "user32" (ByVal hWnd As LongPtr, lpRect As RECT) As LongPtr
Public Declare PtrSafe Function SetWindowPos Lib "user32" (ByVal hWnd As LongPtr, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPtr
Public Declare PtrSafe Function SetParent Lib "user32.dll" (ByVal hWndChild As LongPtr, ByVal hWndNewParent As LongPtr) As LongPtr
Public Declare PtrSafe Function SetForegroundWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDeviceCaps Lib "gdi32.dll" (ByVal hdc As LongPtr, ByVal nIndex As LongPtr) As LongPtr
Public Declare PtrSafe Function GetDC Lib "user32.dll" (ByVal hWnd As LongPtr) As LongPtr
Public Declare PtrSafe Function ReleaseDC Lib "user32.dll" (ByVal hWnd As LongPtr, ByVal hdc As LongPtr) As LongPtr
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function SetLastError Lib "kernel32.dll" (ByVal dwErrCode As Long) As Long
Public Declare PtrSafe Function GetActiveWindow Lib "user32.dll" () As Long
Public Declare PtrSafe Function DrawMenuBar Lib "user32" (ByVal hWnd As LongPtr) As Long

Answer 1

We reached out to Microsoft他们回复了以下消息(由于某种原因无法在文本中复制):



所以我猜这是 JSON VBA 逻辑，我猜它已经解决了(我还没有看到这种情况再次发生)，虽然这真的很难说。