Strategies for the Prevention and Containment of Macro Viruses

The following provides a guide for the most effective way of avoiding an outbreak of macro virus infection. Macro virus control will be discussed in terms of the following objectives:

  • Preparation
  • Prevention
  • Detection
  • Containment
  • Recovery
Before we begin, we need to be in agreement as to exactly what constitutes a macro virus, so here is our definition. A macro virus is a virus written in one of the many macro languages. The macro viruses spread via infected files which can be documents, spreadsheets, databases or any computer program that allows the use of any of the macro languages.


Preparation strategies involve education, awareness, formation of a team for the purpose of creating prevention policies, selection of anti-virus software, and a fail-safe plan in the event that an unknown macro virus surfaces.


All staff members should be aware of the macro virus risk. Then, depending on the philosophy of the corporation, the education process should intensify to enable those who need increased knowledge (such as a help desk, system administrator, etc.) to understand and cope with this threat. Educate everyone regarding the importance of using anti-virus tools such as Command AntiVirus with F-PROT Professional®. Continuously update employees with the latest information regarding macro viruses and the latest update for the anti-virus program.


As a result of a well planned education program, there will be an increased awareness of ways to avoid infection. An alertness for macro (viral) type behavior will become evident. Promote this by providing incentives to those staff members who identify potential dangers existing in their areas.

Form a Team:

Whether you opt for a team or simply an individual, it is absolutely essential to have a methodology in place prior to a virus crisis. The team then needs to formulate specifics for:

  1. Designing the policy to work with Command AntiVirus.
  2. Designating key individuals who will handle the virus incident.
  3. Instruction, at all levels, for the procedures to follow if a virus is reported; i.e. what the user needs to do, what the system administrator needs to do, who is informed etc.
  4. Setting up the education process.
  5. Outline a plan for action in the event of an virus epidemic. Think of this as a "Fire Drill".
  6. Incorporate a review process to allow these policies to grow and change to fit the company and new technology.


Create Prevention Policies:

We suggest the following measures be implemented and, even though they may be inconvenient at times, make a commitment to stick to them.


Be sure education is an ongoing practice.

Daily Backups

Try a method of rotating tapes so that if a virus is not detected immediately, there is a good copy of files prior to the infection.

Stopping the source

Through policy and by utilizing AV tools.

  1. Consider the possibility of infection brought in via disks that travel to and from employees' homes. Is this something you want to disallow? Perhaps you need to assure that any disk brought, either out or in, to the facility is scanned.
  2. Consider the possibility of infection by employees downloading files from unknown sources, including the Internet or a BBS. Should access to these be controlled?
  3. Consider the possibility of remote users attaching to the network and causing an infection.
  4. Consider interoffice disk sharing. Do employees hand disks to one another and should this practice be restricted?
  5. Infection can come from files attached to e-mail. E-mail from the Internet can be checked with a product such as m@ilCOMMAND.
  6. Inadvertent spread of infection via inter-departmental exchanges. Consider using something such as Word Viewer, which is not capable of using macros, for viewing and printing Word documents. Consider using a format, e.g. text or .rtf, that cannot carry macros.
  7. Intentional sabotage. Track all incidence of infection to its source and keep real-time virus protection active. Scan for viruses daily and tighten security.Eliminate any apprehension on the part of employees for reporting either real or suspected viruses.Scan, scan, scan. Even software that is purchased and packaged could be infected. Ascertain that your hardware (workstations, memory, processor power, servers) will adequately support the AV software you have selected. Think about what or where is the "weakest link in the chain" in your company and strengthen it.


The primary way to insure detection is to use a multi-level approach. Be sure you have an anti-virus product, such as Command AntiVirus, which is top rated in virus detection. Two independent sources for rating AV products are the ICSA (International Computer Security Association, formerly National Computer Security Association) and Virus Bulletin.

Be sure that product is updated as soon as updates become available. Run scans on all hard drives, servers and workstations daily.Keep real-time (a scanner that runs in memory and is capable of automatically scanning files and disks on access) protection active.Have a method of checking incoming and outgoing e-mail.

Be sure your method of detection is automated. Relying on users to run software on their own is likely to fail. An integrity checker may be necessary for high security environments. Also, you may want to consider hardware solutions as part of the strategy.

Be aware of virus-like symptoms. For example, if a document cannot be saved except as a template, you may have a macro virus. Or, in Microsoft Word or Excel, if you look at Tools/Macro… from the menu bar, and there are items you did not enter, you may have a macro virus.

Once a virus is detected, the response must be quick and thorough. Automating this process can be done by using the product's ability to quarantine viruses or disinfect them. You should also have the ability to notify the system administrator (or whoever is in charge of virus incidents) immediately.


Containment can be accomplished in many ways. If you approach the problem methodically and do not panic, you will be able to resolve the problem with the least amount of damage to files. If you need help, make certain you have your software vendors emergency support numbers available.

Remember, Command AntiVirus will disinfect most macro viruses. Make sure you are using the latest version.Think of quarantining an area. The infected computer should be isolated until it is disinfected. Remove it from the network. You can turn it off if necessary while waiting for help.

If possible, question the user as to the identity of anyone who has been sent e-mail, what e-mail has been received, were any files downloaded (or uploaded) and the location. Find out the floppy disks that have been used in the infected computer. The point here is to stop the source and prevent the spread. It may be necessary to quarantine more than one computer.

Alert all necessary personnel of the incident. It is critical to determine if the infection has spread and, if so, just how widespread it actually is.


Run Command AntiVirus on the infected system. Disinfect and run it again just to be sure the system is clean. If for some reason the files cannot be disinfected, they can always be saved in a format that does not use macros, for instance, text. The content can then be obtained using a text editor (Notepad, WordPad, DOS edit), and then the original files deleted.Restore backups of files if necessary. If all else fails, you can send the infected file to Command Software Systems, Inc. for analysis.

Virus Databases Virus Links
Virus Research Security









Command Software, Inc. Command Software Systems, Inc.
1061 East Indiantown Road · Suite 500
Jupiter · FL   33477
Phone: (561) 575-3200