Deepguard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe and excel.exe


I'm getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe


Mostly these detections come from DeepGuard. The following files are normally clean and each is a legitimate Microsoft file:

  • wscript.exe
  • ieexplorer.exe
  • winword.exe
  • explorer.exe
  • excel.exe
These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.
In order to investigate further, contact F-Secure support and provide the following:
  1. FSDIAG -
  2. Possible file or script that you were running when you receive the detection.

Example case with Excel, and how to find out the script which is causing the alert:

Alert shown in Policy Manager Server / Windows Event log:

DeepGuard blocked an exploit action.
Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File hash: 6490a5897c31e43393c0feba365a08611340867c

Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:

2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0

In this case, alert is caused because of this macro:

AlertSenderPlugin.log is located here on clients with Client Security 14.x and PSB Computer Protection:

Article no: 000004495

Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
2 of 2
Last update:
4 weeks ago
Updated by:
Labels (3)