Many customers reported that a strange error window popped up when they tried to activate the NumXL Toolbar (NumXLUI.xlam). The Error states: "NumXLUI.xlam is not a valid add-in" or "NumXLUI.xlam file format or file extension is not valid...".
The error message is triggered by Windows Defender when the “Block Win32 API calls from Office macros” rule is set.
During a recent update to the Windows Security and Microsoft Defender for Endpoint service, user devices experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule “Block Win32 API calls from Office macro” after updating to security intelligence build 1.381.2140.0.
This new rule blocks VBA macros trying to call Win32 APIs and prevents the NumXL toolbar from loading. In a few cases, users reported that their Antivirus (AV) programs popped warning messages on their screen of a “potentially malicious behavior” and blocked the add-in from loading.
Diagnosis:
There is no malware in our product. We developed NumXL entirely by ourselves and did not outsource any part.
Furthermore, all executable files (i.e., DLL, EXE, and XLAM) from NumXL are signed with a Code Signing certificate, ensuring that the files are from our company, Spider Financial Corp, and have not been tampered with. You can verify this information on the certificate.
As an extra protection layer In Excel, you can choose to disable all macros except digitally signed macros or require application add-ins to be signed by a trusted publisher.
Why do VBA macros call Win32 API?
NumXL UI uses a few Windows API calls for its core functionality, such as reading certain parts of the registry (for example, to determine whether the user is utilizing the 32-bit or 64-bit edition of Excel), storing items in memory, reading the user’s language settings for Windows and Excel, and accessing the user’s application data folder to store settings, among other functions.
Solution
If your organization has the “Block Win32 API Calls from Office Macros” rule applied in combination with “block mode,” you can still use NumXL by adding an exception for our files.
- Exclude our installation folder:
- For 64-bit Installation, exclude the “%Program Files%\NumXL” folder.
- For 32-bit Installation, exclude the “%Program Files(x86)%\NumXL” folder.
- Exclude our Toolbar add-in file (NumXLUI.xlam) in the installation folder.
To learn more, please check out the following guidelines (Microsoft):
- Configure Extension and File Exclusions in Microsoft Defender Antivirus.
- Enable Attack Surface Reduction Rules.
Conclusion
The “NumXLUI.xlam” error message is due to a new rule in the latest Windows security update. It is not indicative of malware in our product, NumXL. You can resolve this issue by adding an exception for our files, following the guidelines provided by Microsoft. We appreciate your understanding and cooperation and assure you of our continued commitment to the security and functionality of our software.
Comments
A few users reported that they are able to get around this error as follows:
To disable this particular defender policy: ASR Rule - Block Win32 API Calls from Office Macro. Please consult this article:
https://www.syxsense.com/syxsense-securityarticles/antivirus/syx-1005-10409.html
You would need to use a user account with administrative (a.k.a., elevated) permission, so you may need the assistance of your local administrator.
Please sign in to leave a comment.