How can indicate that a vbs script is trusted and may be allowed?

keebellah

I am using F-Secure (license through XS4ALL (NL))

Cmputer Security 14.150 build 101

DeepGuard 5.0 build 580, it's teher.

I have an application with which I create a vbs script on-the-fly, this script is craeted in the TEMP folder, used once and deleted thareafter.

If invokes Excel carries out some tasks and the closes and deletes itself.

The vbs script always has the same name.

Whn I run it DeepGuard detects it as an exploitA and then closes it.

If I go to the TEMP folder and execute the vbscript (double click) it runs and DeepGuard doesn't complain and it runs.

Wher can I indicate it (I have admin rights) that thsi script is trusted and must alwyas be allowed?

OS: Windows 10 64-bit, Office 32-bit.

Tnkas for any tips and answers.

Hans

 

Simon

Excluding the file from a virus scan probably won't work, but it might still be worth a try, if you go to Settings > Virus Protection > Exclude files from the scan... then navigate to your vbs script.

 

However, I think that will only exclude files from a scheduled or manual scan, and if FS detects something executing which it considers dangerous, it will still block it.  So, you may need to Submit the file for analysis at the F-Secure labs, so that they can whitelist it for you.

keebellah

Thanks for the reply.

The file is already present.

Of course I can submit the file but the you'll have to explain to me why I can run it by double-clicking the file and not as administartor anb that F-secure ignores it?

Why does it see it as an Exploit, is there some more in-depth documentation for that.

I do not think F-secure is then all that trustworthy?

I'm wondering.

 

Simon

Sorry, I can't answer the technicalities as to why the script should sometimes be blocked and sometimes not.  If you want to submit a Support Ticket with the file from the Support Tool then the tech guys may be able to answer your question. 

Ukko

Hello,

 

Sorry for my long reply.

 

There can be some of points about your situation (and this is just my suggestions and dreams based on my experience with using F-Secure solution):

 

Spoiler

--> Not sure.. and this suggestion should be with re-check actions (?! temporary I can not to re-check it with stable F-Secure IS solution):

 

Spoiler

your words have point... that F-Secure solution provided for you by your operator.

And on current days... stable F-Secure IS solution (from F-Secure website directly) will be probably more "up-to-date", than your solution (mostly about bug-fixes or improve-actions for drop f/p detections, performance-improvement and some other features).

 

Potentially... there possible can be trouble.. that your DeepGuard (partly module or logic-design) can be small-outdated. So... current "strange" situation may be fixed with later stable releases (when start be known or re-designed to improve it). But....

 

This is not so likely.. but can be... if you think that situation about detection too much strange (close to f/p detection).

My installation have small-different about Build-number for DeepGuard.

 

 

 

--> F-Secure SAS potentially have feature (if you provide your mail-address during transfer file) about "response":

Spoiler

So.. possible to transfer file with words (like "your questions" about) and potentially receive answer by F-Secure Labs. But more often this is some kind of "secret". And application/file will be just added under white-list (which will be not helpful for re-create same application) with additional points.
Or if there will be re-designed for detection and F-Secure Labs founds reasons for detection too much "mistake".

 

 

--> My suggestions can be like that: possible this detection triggered by some of "logic"-stamp.... and there can be different explanation for detection.

 

Spoiler

Maybe because by application?! maybe because something else. Most likely F-Secure SAS/F-Secure Labs have normal information about certain reasons. Based on "permissions for access" or other. Such as not likely about how you launch it, but related with complex-of-points. And not about just one point as main reason for detection (but this is can be too).

 

DeepGuard detected "potential" exploits too.

This is mean... if in somewhat reasons there suspicious (or close to exploit-known-points) actions .... file can be prevented for work.

 

 

 

 BUT... does you  mean that you get prompt about "exploit-in-work" for Excel application (with this... possible you able to allow work). This is should be like "DeepGuard detected exploit-action".

 

OR... there just DeepGuard prompt about "malicious file" and words about exploit just under "Detection"-name? With this... most likely.. there most helpful steps will be using F-Secure SAS/Labs for drop detection. Such as.... f/p detection. There can be two (?!) results: your file (which transferred) will be added to white-list (if file will be marked as safe by F-Secure Labs)....  or will be re-designed action for improve detection about current "signature" (for improve situations, when safe files triggered same detection as malicious or too-much-suspicious).

 

Sorry for reply.

keebellah

Below is the vbs file, it always has the same name and is created on-the-fly

There is nothing strange in it, it just invokes Excel ans lists the contents of the Excel file's vba code

 

 

[code]

Option explicit
Const vbext_ct_ClassModule = 2
Const vbext_ct_Document = 100
Const vbext_ct_MSForm = 3
Const vbext_ct_StdModule = 1

Main

Sub Main
Dim xl
Dim fs
Dim WBook
Dim VBComp
Dim Sfx
Dim ExportFolder
Dim FullFileName

FullFileName = "G:\_Forii_hc&ts\AWVN\AWVN- Digitale Vlootschouw V1.2 (LEEG).XLSM"

If Len(Trim(FullFileName)) > 0 Then

If (InStr(1,lcase(FullFileName),".xl")) = 0 Then
MsgBox "This code only handles Excel files!", vbExclamation,"OPERATION ABORTED"
WScript.Quit
End If

Set xl = CreateObject("Excel.Application")
Set fs = CreateObject("Scripting.FileSystemObject")

xl.Visible = true
xl.Application.EnableEvents = False
Set WBook = xl.Workbooks.Open(Trim(FullFileName))

ExportFolder = WBook.Path & "\" & "vba-" & year(Date()) & right("00" & month(Date()),2) & right("00" & day(Date()),2) & "-" & fs.GetBaseName(WBook.Name)

If fs.FolderExists(ExportFolder) = False Then fs.CreateFolder(ExportFolder)

On Error Resume Next
For Each VBComp In WBook.VBProject.VBComponents
If Err.Number = 0 Then
Err.Clear
On Error Goto 0
Select Case VBComp.Type
Case vbext_ct_ClassModule, vbext_ct_Document
Sfx = ".cls"
Case vbext_ct_MSForm
Sfx = ".frm"
Case vbext_ct_StdModule
Sfx = ".bas"
Case Else
Sfx = ""
End Select
If Sfx <> "" Then
On Error Resume Next
Err.Clear
VBComp.Export ExportFolder & "\" & VBComp.Name & Sfx
If Err.Number <> 0 Then
MsgBox "Failed to export " & ExportFolder & "\" & VBComp.Name & Sfx
End If
On Error Goto 0
End If
Else
MsgBox Err.Description , vbCritical, Err.Number
End If
Next
WBook.Close False
xl.Application.EnableEvents = True
xl.Quit
If Err.Number = 0 Then MsgBox "Done!" & vbCrLf & "Folder: " & ExportFolder , vbInformation,""
End If
End Sub

 [/code]

 

Ukko

Hello,

 

But I think detection (or other) can not be based on file-name. Most related point (which can be there) is hash, which can be (?) same there (on-the-fly... but with same size/source and as result same hash)?

DeepGuard should to detect (or re-detect as known one and already blocked) based on hash. So.. potentially.. if there will be another file-name... detection (with same steps) anyway happened.

 

About detection: if there "Exploit-prompt" (such as exploit-in-action). There should be prompt and option something like "Ok.. there is exploiting application 'Excel', but I will continue to use Excel and do not want close it".

 

If there "Malicious-prompt" (such as DeepGuard detect and think that file is malicious). There indeed should be missing any of choices by user.

But ... probably there can be (?!) helpful exclude from scanning (for total sure... maybe need to exclude from real-time and from manual scanning; possible to exclude folder or file-name/extension).

 

And if there "Malicious-prompt" and detection name have like "Something.Exploit!DeepGuard" - maybe some of actions (with some of backgrounds) partly triggered detection by DeepGuard (DeepGuard like NHIPS/Application Control. Re-check action during work and if there some of suspicious actions/things/points with some of "critical"-stamp ... will be prevented).

The reason for detection.... can be mistake. Like "signature" for logic-engine/design... created too much "common" and as result.. your vbs-script covered by this "potential suspicious".

There can be something like as meanings "fresh created and first-one-using-not-known file as script... created under "potential critical place" and to do "potential critical action" as invoke Excel for somewhat reason and do some of maybe safe/maybe not actions. and some of specific additional not visible point".  Maybe some of exploits (which usually close to safe-file) was around same design/actions, but with additional malicious destination.

Such as this is can be "outdated meaning" as workaround for DeepGuard "dreams", which should be improved.

 

Just because I also just F-Secure user... there can be normal response just by F-Secure team (tomorrow.. or during work-days under community) or by F-Secure Support/Labs as F-Secure SAS.

 

But I also maybe will try to re-check it with my system - if there will be same result.

 

[Deleted User]

Hi keebellah,

 

Based on your information, I had a check with our lab engineers. Please submit the VBS script together with a screenshot of the detection prompt (with Details tab expanded) for further investigation. The detection might be due to deepguard detecting the VB script.

 

Please also submit the executable that is responsible in creating the VBS script on the fly. We are suspecting Deepguard might be blocking the exe generating the script.

 

Kindly proceed to submit the sample to our labs for analysis as mentioned in the above comment.

keebellah

I don't think you're going to expect me to send you the comple office installtion.

Excel.exe is the one that triggers the vba script.

The script's contentes are listed in a previous answer.,

I will attempt to attach a screenshot of what F-secure makes of it.

I am veruy dissappointed in the application that I cannot even whitelist my own scripts.

I regret to saay that in the meantime I am looking for a better an more trustworthy solution instead of F-secure; I was enthousistic (in the beginning) but this has brought it back to unefficient for me.

 

 

keebellah

I just registered a ticket with support. (xxxxxx)

 

EDIT: removed Ticket details