Introduction

Microsoft Windows Defender includes Attack Surface Reduction functionality to reduce an organisation's exposure to malicious software threats. You can learn more about it in this Microsoft Learn article.

One of the optional ASR rules available to IT security administrators is this one:

Block Win32 API calls from Office macros

GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

The challenge with this rule is that Microsoft views “Office macros” as any VBA code. This includes VBA code inside an Office file such as a macro-enabled Word document (docm), Excel spreadsheet (xlsm) or PowerPoint presentation (pptm). That makes perfect sense when trying to protect users from opening malicious attachments received via email or downloaded from the internet. But, this rule also targets legitimate VBA code within M365 Office application add-ins, even if they are signed by reputable EV code-signing certificates which are present in the Trusted Publisher store and come with instant reputation as far as Windows Defender is concerned.

Why does this matter?

BrightSlide uses over 100 Win32 APIs to support the features it provides to PowerPoint users. Most of these are viewed as harmless by security software. As an example, the Sleep API just tells VBA to wait for a period of time before continuing. But something like a file download API sets off warning bells, because you wouldn't expect nor want a macro payload in an Office file to start downloading malicious executables.

BrightSlide includes an in-app software update experience which is accessed by clicking About / License & Updates / Check for Updates:

To minimise disruption from potential security suite false positives, a separate add-in component is loaded at run time to facilitate this action, and it's sole job is to download the latest BrightSlide.ppam file and any updated graphical assets. This second ppam component is called the BrightSlide Helper and it contains the Win32 https calls to retrieve the updated files from the BrightCarbon software server. When the above ASR rule is enabled in Warn mode, the following Windows Security notification is displayed as the component loads and calls the https functions:

Contrary to Microsoft's documentation, clicking Unblock does not work for M365 application add-ins and as a result, the BrightSlide in-app software update experience is broken, leaving the user's PC in an unknown state.

Resolution

It is typical for IT administrators to test ASR rules in the Audit mode before deploying in Block mode as recommended by Microsoft. To alleviate any disruption to BrightSlide users, an ASR Only Per Rule Exclusion may be configured. ASR rules can be configured via any of these mechanisms:

• Microsoft Intune
• Mobile Device Management (MDM)
• Microsoft Endpoint Configuration Manager
• Group Policy
• PowerShell

In the screenshots below, you can see we're using Microsoft InTune to configure the ASR rules under Endpoint Security / Attack Surface Reduction.

First, create a new policy profile and set the required ASR rule as follows:

Next, click the toggle switch next to the ASR exclusions to enable exclusions to be added:

If you've deployed BrightSlide using the per-user installer (exe), add the full path using the accepted environment variable and wildcard as follows:

%AppData%\Microsoft\AddIns\BrightCarbon\BrightSlide\BrightSlide*.ppam

If you've deployed BrightSlide using the machine installer (msi), add the full path using the accepted environment variable and wildcard as follows:

%ProgramFiles(x86)%\BrightCarbon\BrightSlide\BrightSlide*.ppam

Testing

Confirm that the policy has been deployed to a test machine. You can check by looking for the ASR rule and exception(s) in various places in the Windows Registry, such as here:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

Start PowerPoint and invoke the in-app software update UX as follows:

1. Click the BrightSlide tab
2. Click the About button on the far right of the ribbon
3. Click License & Updates on the far left of the ribbon
4. Hold the shift key and click the Check for Updates button (shift key bypasses version checks and forces an update)
5. Click Install
6. Observe the BrightSlide tab disappearing, the update UI appearing, and after a few seconds the update UI should disappear and the BrightSlide tab reappear.