Traps Child Process Protection for Individual Excel Document

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traps Child Process Protection for Individual Excel Document

L3 Networker

Hello All,


Some business processes may utilize Excel documents with embedded macros which launch external applications, which are suspicious, but are later found to be part of a business process.  Rather than whitelisting Excel.exe (pretty broad exception) to be able to execute these processes, is there a way to get an exception for just a specific excel document?  Of course this is given that the document can be singled out by name.






Hello @BPry ,


So I tried adding a file to the whitelist for the Malware profile under "Examine Office Files with Macros".  This allows the file to open, but as I suspected, A "suspicious process creation" event is still triggered when the macro is run.  This is because in this scenario Excel.exe is starting a child process of schtasks.exe.     


You are correct though in your statement about if that doesn't work, you can put it in the "Malware Profile" and allow Excel.exe to launch something like schtasks.exe with very specific parameters.  In the end, it would be allowing Excel.exe as a whole to perform a very specific task, which isn't all that bad.  As an example, I've attached a screenshot of the exception I made for a fictional excel file I created with a macro to set a scheduled task.




Wildcards can be used in the Command Line Params as well.






Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!