Overview and Configuration of MacroKiller for Exchange
This document explains the configuration options that are available to an Exchange administrator, and also shows how to enable and disable the software until you are comfortable with MacroKiller.
Description
MacroKiller is an Exchange Transport Agent that converts Word and Excel documents that contain macros into Macro-free versions that cannot infect your users.
Key Features
- Strips Macros out of Word and Excel documents
- Users receive clean, virus free documents
- Using the 100% safe Word.DOCX and Excel.XLSX formats
- Users CANNOT infect themselves
- Original Documents saved in Password protected ZIP file
- Whitelists skip processing for trusted senders
Other Features
- Whitelist a Sender or Domain: This will never process messages from this Sender or Domain
- Testing Configuration: You can set MacroKiller to run for selected users during a test by listing "Included Recipients".
- In production, you can always exclude a recipient's messages from being converted via "Excluded Recipients".
Configuration Options
The table below describes the various configuration options, as well as the default values that we use to set the initial configuration. It also shows optional settings.
Our default settings is AlwaysConvertToMacroFree for valid Word documents, and to Reject or ZipWithPassword any Invalid Word documents, including those with no "words" (less than 50 characters).
| Option | Values / Usage |
| File Extensions | Document types to scan for macros .DOC, .DOCM, .DOCX, .RTF, .XLS, .XLSM, .XLSX Default: .DOC, .DOCM, .DOCX, .RTF, .XLS, .XLSM, .XLSX |
| MacroRemoval | [?, N, None, R, Remove, C, ConvertToMacroFree, A, AlwaysConvertToMacroFree, J, Reject] Default: AlwaysConvertToMacroFree |
| PreserveOption | [?, N, None, Z, ZipWithPassword, C, ConvertToMacroEnabled] Default: ZipWithPassword Note: This option allows you to save the original document in a password protected zip file. |
| SafeViewingOption | [?, N, None, P, ConvertToPdf, T, ConvertToTxt] Default: None |
| InvalidFileOption | [?, E, ChangeExtension, D, Delete, Z, ZipWithPassword, R, Reject] Default: R |
| FilePassword | This is the password used to secure a .zip file if any of the 'ZipWithPassword' options are used. Default: Caution |
| ZipFileName | This is the name of the .zip file that will get created if any of the 'ZipWithPassword' options are used Default: PossibleMalware.zip |
| MinimumCharacters | Word docs with no words will be handled as InvalidFileOption (Reject) Default: 50 |
| CustomRejectMessage | This will be used only if messages are "Rejected" Default: Maysoft.com DOES NOT accept Word files with macros |
| ActivityToLog | These are logged to the Windows Event Viewer Errors, MacroRemoval, PreserveOption, SafeViewingOption, Zip, MinimumCharacters, InvalidFileOption, Reject Default: Errors, MacroRemoval, PreserveOption, SafeViewingOption, Zip, MinimumCharacters, InvalidFileOption, Reject |
| Recipients | This option allows you to process for selected names, or to exclude selected names There is not default value for this option |
| RecipientLookup | [0ptions= ?, D, Disabled, I, Included, E, Excluded] Default: Disabled |
| IncludedRecipients | # Included means MacroKiller only converts and processes Word and Excel docs for named individuals There is not default value for this option |
| ExcludedRecipients | # Excluded means MacroKiller does NOT convert or process Word and Excel docs for named individuals. There is not default value for this option |
| Enable WhiteList | This is a master switch to enable use of the different WhiteList types (see below). [? D, Disabled, S, Senders] Default: Senders |
| WhiteListSenders | # Email from listed addresses will not be checked by MacroKiller i.e [email protected], [email protected] There is not default value for this option |
| WhiteListDomains | #Email from the listed domains will not be checked by Macrokiller i.e. maysoft.com, acme.com There is not default value for this option |
Administrator Information
Below is a Powershell session where MacroKiller can be installed, uninstalled and reconfigured. We have added some new commands, like Get-MacroKiller which shows the current configuration.
Do disable Macrokiller which can be useful during testing:
Set-MacroKiller -Enabled $false
To enable Macrokiller
Set-MacroKiller -Enabled $true
You can also run this command to disable the Transport Agent completely:
Disable-TransportAgent "MacroKiller"
When installed, it is always the last Priority in the list of Transport Agents:
Event Viewer
When MacroKiller processes a document, the action can be recorded in the Event Viewer. Which actions are recorded depends on the configured options.
What the Outlook User Sees
1. The original .DOC file is converted to a Macro-free .DOCX document, which the user can freely open.
2. Optionally you can preserve the original .DOC in a password protected ZIP file. We recommend to perform just the conversion. If you need to receive macros from this sender, whitelist the sender and resend. Why? Because 98% of these Zip files contain Malware and users have opened them and infected themselves.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article