How can indicate that a vbs script is trusted and may be allowed?

I am using F-Secure (license through XS4ALL (NL))

Cmputer Security 14.150 build 101

DeepGuard 5.0 build 580, it's teher.

I have an application with which I create a vbs script on-the-fly, this script is craeted in the TEMP folder, used once and deleted thareafter.

If invokes Excel carries out some tasks and the closes and deletes itself.

The vbs script always has the same name.

Whn I run it DeepGuard detects it as an exploitA and then closes it.

If I go to the TEMP folder and execute the vbscript (double click) it runs and DeepGuard doesn't complain and it runs.

Wher can I indicate it (I have admin rights) that thsi script is trusted and must alwyas be allowed?

OS: Windows 10 64-bit, Office 32-bit.

Tnkas for any tips and answers.

Hans

 

Comments

  • Simon
    Simon Posts: 2,667 Superuser

    Excluding the file from a virus scan probably won't work, but it might still be worth a try, if you go to Settings > Virus Protection > Exclude files from the scan... then navigate to your vbs script.

     

    However, I think that will only exclude files from a scheduled or manual scan, and if FS detects something executing which it considers dangerous, it will still block it.  So, you may need to Submit the file for analysis at the F-Secure labs, so that they can whitelist it for you.

  • keebellah
    keebellah Posts: 5 New Member

    Thanks for the reply.

    The file is already present.

    Of course I can submit the file but the you'll have to explain to me why I can run it by double-clicking the file and not as administartor anb that F-secure ignores it?

    Why does it see it as an Exploit, is there some more in-depth documentation for that.

    I do not think F-secure is then all that trustworthy?

    I'm wondering.

     

  • Simon
    Simon Posts: 2,667 Superuser

    Sorry, I can't answer the technicalities as to why the script should sometimes be blocked and sometimes not.  If you want to submit a Support Ticket with the file from the Support Tool then the tech guys may be able to answer your question. 

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Sorry for my long reply. Smiley Sad

     

    There can be some of points about your situation (and this is just my suggestions and dreams based on my experience with using F-Secure solution):

     

    Spoiler

    --> Not sure.. and this suggestion should be with re-check actions (?! temporary I can not to re-check it with stable F-Secure IS solution):

     

    Spoiler

    your words have point... that F-Secure solution provided for you by your operator.

    And on current days... stable F-Secure IS solution (from F-Secure website directly) will be probably more "up-to-date", than your solution (mostly about bug-fixes or improve-actions for drop f/p detections, performance-improvement and some other features).

     

    Potentially... there possible can be trouble.. that your DeepGuard (partly module or logic-design) can be small-outdated. So... current "strange" situation may be fixed with later stable releases (when start be known or re-designed to improve it). But....

     

    This is not so likely.. but can be... if you think that situation about detection too much strange (close to f/p detection).

    My installation have small-different about Build-number for DeepGuard.

     

     

     

    --> F-Secure SAS potentially have feature (if you provide your mail-address during transfer file) about "response":

    Spoiler
    So.. possible to transfer file with words (like "your questions" about) and potentially receive answer by F-Secure Labs. But more often this is some kind of "secret". And application/file will be just added under white-list (which will be not helpful for re-create same application) with additional points.
    Or if there will be re-designed for detection and F-Secure Labs founds reasons for detection too much "mistake".

     

     

    --> My suggestions can be like that: possible this detection triggered by some of "logic"-stamp.... and there can be different explanation for detection.

     

    Spoiler

    Maybe because by application?! maybe because something else. Most likely F-Secure SAS/F-Secure Labs have normal information about certain reasons. Based on "permissions for access" or other. Such as not likely about how you launch it, but related with complex-of-points. And not about just one point as main reason for detection (but this is can be too).

     

    DeepGuard detected "potential" exploits too.

    This is mean... if in somewhat reasons there suspicious (or close to exploit-known-points) actions .... file can be prevented for work.

     

     

     

     BUT... does you  mean that you get prompt about "exploit-in-work" for Excel application (with this... possible you able to allow work). This is should be like "DeepGuard detected exploit-action".

     

    OR... there just DeepGuard prompt about "malicious file" and words about exploit just under "Detection"-name? With this... most likely.. there most helpful steps will be using F-Secure SAS/Labs for drop detection. Such as.... f/p detection. There can be two (?!) results: your file (which transferred) will be added to white-list (if file will be marked as safe by F-Secure Labs)....  or will be re-designed action for improve detection about current "signature" (for improve situations, when safe files triggered same detection as malicious or too-much-suspicious).

     

    Sorry for reply.

  • keebellah
    keebellah Posts: 5 New Member

    Below is the vbs file, it always has the same name and is created on-the-fly

    There is nothing strange in it, it just invokes Excel ans lists the contents of the Excel file's vba code

     

     

    [code]

    Option explicit
    Const vbext_ct_ClassModule = 2
    Const vbext_ct_Document = 100
    Const vbext_ct_MSForm = 3
    Const vbext_ct_StdModule = 1

    Main


    Sub Main
    Dim xl
    Dim fs
    Dim WBook
    Dim VBComp
    Dim Sfx
    Dim ExportFolder
    Dim FullFileName

    FullFileName = "G:\_Forii_hc&ts\AWVN\AWVN- Digitale Vlootschouw V1.2 (LEEG).XLSM"

    If Len(Trim(FullFileName)) > 0 Then

    If (InStr(1,lcase(FullFileName),".xl")) = 0 Then
    MsgBox "This code only handles Excel files!", vbExclamation,"OPERATION ABORTED"
    WScript.Quit
    End If

    Set xl = CreateObject("Excel.Application")
    Set fs = CreateObject("Scripting.FileSystemObject")

    xl.Visible = true
    xl.Application.EnableEvents = False
    Set WBook = xl.Workbooks.Open(Trim(FullFileName))

    ExportFolder = WBook.Path & "\" & "vba-" & year(Date()) & right("00" & month(Date()),2) & right("00" & day(Date()),2) & "-" & fs.GetBaseName(WBook.Name)

    If fs.FolderExists(ExportFolder) = False Then fs.CreateFolder(ExportFolder)

    On Error Resume Next
    For Each VBComp In WBook.VBProject.VBComponents
    If Err.Number = 0 Then
    Err.Clear
    On Error Goto 0
    Select Case VBComp.Type
    Case vbext_ct_ClassModule, vbext_ct_Document
    Sfx = ".cls"
    Case vbext_ct_MSForm
    Sfx = ".frm"
    Case vbext_ct_StdModule
    Sfx = ".bas"
    Case Else
    Sfx = ""
    End Select
    If Sfx <> "" Then
    On Error Resume Next
    Err.Clear
    VBComp.Export ExportFolder & "\" & VBComp.Name & Sfx
    If Err.Number <> 0 Then
    MsgBox "Failed to export " & ExportFolder & "\" & VBComp.Name & Sfx
    End If
    On Error Goto 0
    End If
    Else
    MsgBox Err.Description , vbCritical, Err.Number
    End If
    Next
    WBook.Close False
    xl.Application.EnableEvents = True
    xl.Quit
    If Err.Number = 0 Then MsgBox "Done!" & vbCrLf & "Folder: " & ExportFolder , vbInformation,""
    End If
    End Sub

     [/code]

     

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    But I think detection (or other) can not be based on file-name. Most related point (which can be there) is hash, which can be (?) same there (on-the-fly... but with same size/source and as result same hash)?

    DeepGuard should to detect (or re-detect as known one and already blocked) based on hash. So.. potentially.. if there will be another file-name... detection (with same steps) anyway happened.

     

    About detection: if there "Exploit-prompt" (such as exploit-in-action). There should be prompt and option something like "Ok.. there is exploiting application 'Excel', but I will continue to use Excel and do not want close it".

     

    If there "Malicious-prompt" (such as DeepGuard detect and think that file is malicious). There indeed should be missing any of choices by user.

    But ... probably there can be (?!) helpful exclude from scanning (for total sure... maybe need to exclude from real-time and from manual scanning; possible to exclude folder or file-name/extension).

     

    And if there "Malicious-prompt" and detection name have like "Something.Exploit!DeepGuard" - maybe some of actions (with some of backgrounds) partly triggered detection by DeepGuard (DeepGuard like NHIPS/Application Control. Re-check action during work and if there some of suspicious actions/things/points with some of "critical"-stamp ... will be prevented).

    The reason for detection.... can be mistake. Like "signature" for logic-engine/design... created too much "common" and as result.. your vbs-script covered by this "potential suspicious".

    There can be something like as meanings "fresh created and first-one-using-not-known file as script... created under "potential critical place" and to do "potential critical action" as invoke Excel for somewhat reason and do some of maybe safe/maybe not actions. and some of specific additional not visible point".  Maybe some of exploits (which usually close to safe-file) was around same design/actions, but with additional malicious destination.

    Such as this is can be "outdated meaning" as workaround for DeepGuard "dreams", which should be improved.

     

    Just because I also just F-Secure user... there can be normal response just by F-Secure team (tomorrow.. or during work-days under community) or by F-Secure Support/Labs as F-Secure SAS.

     

    But I also maybe will try to re-check it with my system - if there will be same result.

     

  • Laksh
    Laksh Posts: 4,224 Former F-Secure Employee

    Hi keebellah,

     

    Based on your information, I had a check with our lab engineers. Please submit the VBS script together with a screenshot of the detection prompt (with Details tab expanded) for further investigation. The detection might be due to deepguard detecting the VB script.

     

    Please also submit the executable that is responsible in creating the VBS script on the fly. We are suspecting Deepguard might be blocking the exe generating the script.

     

    Kindly proceed to submit the sample to our labs for analysis as mentioned in the above comment.

  • keebellah
    keebellah Posts: 5 New Member

    I don't think you're going to expect me to send you the comple office installtion.

    Excel.exe is the one that triggers the vba script.

    The script's contentes are listed in a previous answer.,

    I will attempt to attach a screenshot of what F-secure makes of it.

    I am veruy dissappointed in the application that I cannot even whitelist my own scripts.

    I regret to saay that in the meantime I am looking for a better an more trustworthy solution instead of F-secure; I was enthousistic (in the beginning) but this has brought it back to unefficient for me.

     

     

  • keebellah
    keebellah Posts: 5 New Member

    I just registered a ticket with support. (xxxxxx)

     

    EDIT: removed Ticket details

This discussion has been closed.
Pricing & Product Info