F-Secure DeepGuard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, regsvr32, and excel.exe

F-Secure DeepGuard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, regsvr32, and excel.exe - F-Secure Community

Issue:

This article applies to the following F-Secure products: F-Secure SAFE, F-Secure Client Security, F-Secure Server Security, F-Secure PSB Computer Protection, F-Secure PSB Server Protection

I am getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe, and regsvr32.exe by Deepguard. How can I fix this?

Resolution:

Mostly these detections come from DeepGuard (a basic part of F-secure products which monitors applications to detect potentially harmful changes to the system). The following files are normally clean and each is a legitimate Microsoft file:


wscript.exe
ieexplorer.exe
winword.exe
explorer.exe
excel.exe
Regsvr32.exe

These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.
When it comes to the business products, in order to investigate further, contact F-Secure support and provide the following:

FSDIAG - You can refer to this article for instructions on how to create an FSDIAG log
Possible file or script that you were running when you receive the detection.

The following is an example case with Microsoft Excel, and how to find out the script which is causing the alert:

Alert shown in Policy Manager Server or Windows Event log:


DeepGuard blocked an exploit action.
Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File hash: 6490a5897c31e43393c0feba365a08611340867c

Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:


[...]
2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0
[...]

In this case, alert is caused because of this macro:


d:\\shared\\download\\samples\\macrotest.xlsm

AlertSenderPlugin.log is located here on clients with Client Security 14.x and PSB Computer Protection:


C:\ProgramData\F-Secure\Log\PSB\AlertSenderPlugin.log

When it comes to the home products like F-secure SAFE, perform a full computer scan to let the product detect the source of those detection. F-Secure SAFE will check if there are any harmful files stored on the computer which cause such behaviour. To perform a full computer scan, follow the instruction below:

Open the F-Secure SAFE
Click Settings > Scanning settings > Manual scanning
- Untick Scan only known file types
- Tick Scan inside compressed files
Exit Settings
Click Tools
Select Virus scan options > Full computer scan

If the scan does not indicate any harmful files or any suspicious application installed, contact F-Secure support for further assistance.

Article no: 000004495