How do I remove Exploit:W32/PowerShellStager.B!DeepGuard?
Accepted Answer
-
Hello,
There is this KB article about the problem in general: Why am I getting repeated alerts from Deepguard about Powershell? - F-Secure Community
How to create fsdiag: Using the support tool | Internet Security (2022) | Latest | F-Secure User Guides (if your F-Secure solution is another one, steps still can be relevant in parts)
How to contact Support: Contact support | F-Secure (for example, bottom right corner with web-chat widget as an option).
As a discussion between Community users:
Mentioned detection is designed to block script-stagers (via PowerShell in this case) from doing their malicious intentions. Something is trying to use PowerShell to perform some kind of suspicious action. To exploit something.
Since your situation is not about a single case (opened some document or website). But repetitive popups - it is likely that if this is not false-positive for some scheduled tasks or scripts of some safe software, then something like file-less threat in the system or as mentioned in KB-article - tricky scheduled task. However, DeepGuard blocks execution attempts. I am not sure, though, if any changes were made to your system prior to the block-point.
The most easiest solution is to collect Fsdiag.zip (second URL with Using the Support Tool guide) and to contact F-Secure official Support channel to share your experience with description and information. Support Agents, then, may assist with a proper cleaning or fixing situation.
Alternatively, you can try looking in Windows Events logs via system Event Viewer. For example, "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may be with a bit more information about blocking event. If not, you can try to look at Task Scheduler for yourself and check if anything suspicious there.
I keep getting popups that say an app was closed and but I cannot find information on how to remove it.
Thus, you cannot remove "Exploit:W32/PowerShellStager.B!DeepGuard ". But you can try to eliminate a reason for DeepGuard's blocking 'exploit"-attempt to use PowerShell.
If the information above is not enough or not clear (or some steps are not available) it is useful to know how often or when you get these popups. Whether starting the system or using some application. Every minute, hourly, or some other description may apply. So, it will be clear that it is enough not to use something, or something needs to be changed in the system.
Thanks!
Answers
-
Hello Ukko,
Thank you for you quick reply. I collected Fsdiag.zip and contacted support, but because I have F-Secure through Spectrum, I had to contact them. However, Spectrum informed me that their tech support does not assist with this kind of problem, and to contact F-Secure for help.
A full scan did not find any issues, so I am not sure how to proceed.
-
Hello,
I collected Fsdiag.zip and contacted support, but because I have F-Secure through Spectrum, I had to contact them. However, Spectrum informed me that their tech support does not assist with this kind of problem, and to contact F-Secure for help.
Well, I do able to suggest some things:
I still think that the fsdiag analysis is included in the Spectrum support area. For example, you can ask them to look in the logs for additional information about this detection (what triggers and so on). I understand that they "refuse" or cannot help in cleaning/curing the system. But you may just need information from logs about detection; no any technical assistance. They should understand the structure of fsdiag and diagnose the possibility of obtaining some useful information.
It could also be assumed that if something was not within their area of responsibility, then they could escalate your request through their channels to F-Secure and return with a response / instructions.
But, anyway, if that was their response - I would go back to the official F-Secure support channel and ask them to help anyway, as Spectrum refuses and refers to the fact that this is not their area of responsibility. However someone has to help you (which is described in this KB artcle: Why am I getting repeated alerts from Deepguard about Powershell? - F-Secure Community)
A full scan did not find any issues, so I am not sure how to proceed.
Most likely, as described in the mentioned KB article, something suspicious may be in the scheduled tasks available through the Task Scheduler.
A rough way to open Scheduled Tasks: click Windows "start"-logo, type 'Task Scheduler' (or your local name of this tool; if your Windows system is localized) and launch it. There will be libraries and tasks. You can try to find any suspicious names or suspicious description. Or list them there (if possible) as a screenshot, for example.
Perhaps one of the tasks is trying to run a suspicious script through PowerShell. If there is nothing strange there, then perhaps DeepGuard reacts to some actions in the background of one of the installed programs. In that case, as I wrote in a previous comment, it would be useful to know more information about the nature of these popups (when, how often).
And, again.. you can try these thoughts from my previous comment:
Alternatively, you can try looking in Windows Events logs via system Event Viewer. For example, "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may be with a bit more information about blocking event.
To open Event Viewer: go to Start menu, type Event Viewer. In result - launch Event Viewer.
// steps are for Windows 10 (as such).
For example, I can get content of command line for ScriptStager-detection for cmd.exe; By finding the detection "entry" in the list and then opening more details. Where is EventData's rv with a description about the content of the script, hash, and more.
if steps are required on how to open the Windows Event Viewer and find those FSecureUltralightSDKs - you can come back with a reply and I'll try to provide the steps.
Thanks!
