F-Secure DeepGuard alarm and wscript.exe

OGrelck Posts: 6 New Member


we got a F-Secure DeepGuard alarm today.

The User told me he download a zip file with Google Chrome,

in which should be a word document.

He said he deleted the zip file an did not open

it. Attached some screenshots from F-Secure.


The question is, is it true that he did not open it?

Can F-Secure detect it without running something

or did the user run the file inside the zip? Was

the wscript.exe called by this or did F-Secure only

detect, that inside the zip there is something which wants

to call wscript.exe?

Is it possible that Chrome can run wscript.exe or a JavaScript JS file

that is calling wscript?

Best Regards 



  • Jamesch
    Jamesch Posts: 357 Moderator

    Hi Ole

    Regarding this case, I suggest to submit a case and sample to our detection team


  • OGrelck
    OGrelck Posts: 6 New Member

    Hi Jamesch,

    we don't have a sample, the download is already deleted

    Is it possible to get informations from log files,

    which file called wscript or wasn't it called only

    a file was detected which.


  • OGrelck
    OGrelck Posts: 6 New Member


    i could reconstruct the problem.

    I used the Chrome DownloadMetadate file to find the downloaded zip.

    I downloaded the file in a safe environement and decompressed it.

    Inside there was a obfusicated js file, which calls wscript to load

    a file from the internet and runs it.

    The user has open the zip and clicked the js :-(


  • Jamesch
    Jamesch Posts: 357 Moderator

    Hi Ole

    Just to confirm - this is not a product nor detection issue, correct ?

This discussion has been closed.