Malicious macros were found

This dialog appears if the antivirus software on your machine notifies the Office application that Visual Basic for Applications (VBA) macros in a document have taken actions that the antivirus software determines are malicious.

AMSI Integration With Office

The Antimalware Scan Interface (AMSI) feature is available in Windows starting with Windows 10. This feature allows applications running on the system to pass information about the behavior of scripts running in the application to antimalware services running on the machine that support the AMSI interface. The antivirus software then notifies Office if the pattern of actions appears harmful before Office executes the macro code.

If the antivirus software indicates that macros are performing malicious actions, Office will display this dialog to the user, and then terminate the Office process without executing the malicious instruction to ensure the user remains safe.

If you see this dialog...

  1. It is likely that an open document was attempting to execute code that matched patterns of behavior that your antivirus software deemed malicious.

  2. If you feel a document is being improperly reported as malicious, you can move the document into a location that is part of the Trusted Locations feature in Office, or have the VBA macros in the document digitally code signed.

  3. If the document is still being reported as malicious after taking one of the actions in Step 2, you may have the setting for the Malware Runtime Scan feature set to validate all documents regardless of trust. See below for information about the different settings for the feature.

Settings for the Malware Runtime Scan Feature

By default, Office will enable Malware Runtime Scanning for VBA macros running in documents.

The exception is for documents that have full trust via one of the following methods:

This behavior can be controlled by setting the following value in the Windows Registry:

(PLEASE NOTE: modifying the Windows Registry can impact the behavior of applications and of Windows itself, and can lead to applications or the operating system no longer functioning correctly. Before making any modifications to the Windows Registry, ensure your system is backed up or a restore point established.)

KEY: [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security]

VALUE NAME: "REG_DWORD:MacroRuntimeScanScope"




Disable runtime macro scanning for all documents.


Enable runtime macro scanning for all documents except those that are code signed by a trusted publisher, loaded from a trusted location, or if the VBA macro security trust setting is set to "Enable All Macros" (unsafe).


Enable runtime macro scanning for all documents.

These settings can be managed through Group Policy as well. If you are in an enterprise environment that is using Group Policy to set this behavior, you will have to contact your Administrator to make changes to this setting.  

See Also

Best practices for protection from viruses

Protect against threats in Office 365

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.