F-Secure DeepGuard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, regsvr32, and excel.exe - F-Secure Community
<main> <article class="userContent"> <h3 data-version="10" data-article="000004495" data-id="issue">Issue:</h3> <p>This article applies to the following F-Secure products: F-Secure SAFE, F-Secure Client Security, F-Secure Server Security, F-Secure PSB Computer Protection, F-Secure PSB Server Protection<br><br>I am getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe, and regsvr32.exe by Deepguard. How can I fix this?</p> <h3 data-id="resolution">Resolution:</h3> <p>Mostly these detections come from DeepGuard (a basic part of F-secure products which monitors applications to detect potentially harmful changes to the system). The following files are normally clean and each is a legitimate Microsoft file:<br></p><ul><li> <pre class="code codeBlock" spellcheck="false" tabindex="0"><br>wscript.exe<br>ieexplorer.exe<br>winword.exe<br>explorer.exe<br>excel.exe<br>Regsvr32.exe</pre> <br> </li></ul> These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.<br>When it comes to the business products, in order to investigate further, contact F-Secure support and provide the following: <ol><li>FSDIAG - You can refer to this <a rel="nofollow" href="https://community.f-secure.com/t5/Common-topics/How-do-I-create-an-FSDIAG-file/ta-p/18190">article</a> for instructions on how to create an FSDIAG log</li><li>Possible file or script that you were running when you receive the detection.</li></ol> The following is an example case with Microsoft Excel, and how to find out the script which is causing the alert:<br><br>Alert shown in Policy Manager Server or Windows Event log:<br> <pre class="code codeBlock" spellcheck="false" tabindex="0"><br>DeepGuard blocked an exploit action.<br>Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE<br>File hash: 6490a5897c31e43393c0feba365a08611340867c</pre> <br><br>Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:<br> <pre class="code codeBlock" spellcheck="false" tabindex="0"><br>[...]<br>2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0<br>[...]</pre> <br><br>In this case, alert is caused because of this macro: <pre class="code codeBlock" spellcheck="false" tabindex="0"><br>d:\\shared\\download\\samples\\macrotest.xlsm</pre> AlertSenderPlugin.log is located here on clients with Client Security 14.x and PSB Computer Protection: <pre class="code codeBlock" spellcheck="false" tabindex="0"><br>C:\ProgramData\F-Secure\Log\PSB\AlertSenderPlugin.log</pre> <br>When it comes to the home products like F-secure SAFE, perform a full computer scan to let the product detect the source of those detection. F-Secure SAFE will check if there are any harmful files stored on the computer which cause such behaviour. To perform a full computer scan, follow the instruction below: <ol><li>Open the F-Secure SAFE</li><li>Click <b>Settings</b> <b>> Scanning settings > Manual scanning</b> <ul><li>Untick Scan only known file types </li><li>Tick Scan inside compressed files</li></ul></li><li>Exit <b>Settings</b></li><li>Click <b>Tools</b></li><li>Select <b>Virus scan options</b> > <b>Full computer scan</b></li></ol> If the scan does not indicate any harmful files or any suspicious application installed, contact F-Secure support for further assistance. <p>Article no: 000004495</p> </article> </main>