05-24-2017 05:45 AM
Hi Community Admins,
I'm reading over and over again comments from community members that they won't download Excel attachments from this forum due to security concerns.
Can you please give us some guidance on this matter?
I fully understand that you can't give us any guarantees and promises and that you also can't fully disclose how much and what security checking gets applied to attachments.
But.... Would it be possible that you provide some non legally binding opinions about the risk and some guidance what we can do on our end to reduce the risk if we want to download Excels other people post (ie. in the Excel trust centre where I've got settings that no VBA macros get executed without prompting me and where the "heavy" stuff must be in specif trusted folder locations in order to execute at all).
05-24-2017 08:38 AM
Hi Patrick (and others),
I understand why some community members are squeamish about downloading Excel files, and that it's even against policy at some organizations. However, I don't think that attached XLS/XLSX files present much of a risk -- and you hinted at the reasons why that's so.
Windows and Excel do keep track of the origin of files that you download, and whether they come from a trusted network location. For most of us, anything outside of our own corporate firewalls would be labeled as "untrusted" and thus require additional steps to allow any "active" content to execute -- including embedded macros.
In addition, most of us have robust anti-virus software that immediately detect known threats, almost as soon as they hit your local system. At SAS, we have a very attentive IT organization who constantly re-evaluates our security policies to reduce risk to our own systems. At this time, Excel attachments/downloads are allowed (and have been for many years) -- probably thanks to the measures I cited.
These two layers of protection are good, but they aren't a substitute for a diligent user. As we know, most malware infections happen as a result of a person installing/opening something they should not have. We don't encourage any user to download content that they think might present a risk.
And here's one more good option for our communities users: the community platform offers a preview feature for most common file types: Excel, PDF, Word docs, Text. If you click on the file name and not on the download icon, you'll see a "light box" preview of the file contents, and it's the web site that's opening that for you, not your local machine. The Preview feature does not download the file to your machine.
Example: Click on the name:
See a preview:
05-24-2017 02:59 PM
Excellent point about the preview facility! Thanks for pointing this out Chris. It's not entirely obvious that clicking on the name will preview it only. Is it possible to include text above "click to preview" or a tool tip to guide members? The download icon is representative of the download action, where as the preview action isn't as transparent.