How do I cleanse a system of this infection?
I get that this is probably something bad trying to run a powershell script, but how do I know what the offender is and how do I clean it?
F-Secure Protection Service for Business has identified the following security incidents:
Time;Account;Host;Infection;Action;Type;Infected Object;Infected Object SHA1
Thu, 23 August 2018 20:21:06 UTC MyCompany-internal FLT-20 Exploit:W32/PowerShellStager.B!DeepGuard Blocked File c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
The detection is for blocking stagers from dropping or downloading their stage. So in usual cases, there should not be anything to clean except to delete or not to visit the document or website that triggered the detection.
If the detection is recurring, it might be a sign that there was a file-less persistence that got past our defenses or some script is running and doing that.
I will try to figure out if there is some log you can use to detect what initiates this detection.1 1Like