Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

DeepGuard blocked a ScriptStager infection

Hi,

Today DeepGuard detected and blocked an infection with description "Exploit:W32/ScriptStager.B!DeepGuard" on one of my machine.

From PSB portal i have only wscript.exe without any other info, so i don't know where the infection came from.

 

2018-06-21 19_07_21-PSB1 Portal – F-Secure.png

 

Maybe it can be a false positive, but i need more information to judge if it's malicious or not.

There's a way to see a detailed log about DeepGuard detection?

 

Thanks in advance,

Gabriele.

etomcat

Comments

  • fedoolfedool Posts: 145 F-Secure Employee

    Hello,

     

    Deepguard does not log anything special by default which would help you to investigate this.

    You can try checking in Windows Events log special log "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may have more info about blocked app.

     

    Ukko
  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

    The FSAV alert quoted by the user includes the file's hash checksum as "2661e5f3562dd03c0ed21c33e2888e2fd1137d8c".

     

    This can be searched for on Virustotal webportal to see that the incident is likely a false alarm:
    https://www.virustotal.com/#/file/62a95c926c8513c9f3acf65a5b33cbb88174555e2759c1b52dd6629f743a59ed/detection

    F-Secure's virus lab can also fetch the particular binary sample from Virustotal's repository and provide the fix based on that, so there is no need for the end user to submit anything more!

    Yours Sincerely: Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

  • fedoolfedool Posts: 145 F-Secure Employee

    Virustotal result is for wscript.exe itself but DeepGuard does not block wscript as a file, it blocks it during execution because it detects some suspicious behavior.

    It's possible because wscript is used to run scripts and scripts can do suspicious things, like writing to system files or registry.

    Which exact set of operations triggered detection is unknown - we need to see executed script to check that.

    etomcatUkko
This discussion has been closed.