Deepguard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe and excel.exe

Issue:

I'm getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe

Resolution:

Mostly these detections come from DeepGuard. The following files are normally clean and each is a legitimate Microsoft file:

  • wscript.exe
  • ieexplorer.exe
  • winword.exe
  • explorer.exe
  • excel.exe
These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.
In order to investigate further, contact F-Secure support and provide the following:
  1. FSDIAG - https://community.f-secure.com/t5/Common-topics/How-do-I-create-an-FSDIAG-file/ta-p/18190
  2. Possible file or script that you were running when you receive the detection.

Example case with Excel, and how to find out the script which is causing the alert:

Alert shown in Policy Manager Server / Windows Event log:

DeepGuard blocked an exploit action.
Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File hash: 6490a5897c31e43393c0feba365a08611340867c

Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:

[...]
2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0
[...]

In this case, alert is caused because of this macro:
d:\\shared\\download\\samples\\macrotest.xlsm

AlertSenderPlugin.log is located here on clients with Client Security 14.x and PSB Computer Protection:
C:\ProgramData\F-Secure\Log\PSB\AlertSenderPlugin.log

Article no: 000004495

Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
2 of 2
Last update:
4 weeks ago
Updated by:
 
Labels (3)