I get that this is probably something bad trying to run a powershell script, but how do I know what the offender is and how do I clean it?
F-Secure Protection Service for Business has identified the following security incidents:
Time;Account;Host;Infection;Action;Type;Infected Object;Infected Object SHA1
Thu, 23 August 2018 20:21:06 UTC MyCompany-internal FLT-20 Exploit:W32/PowerShellStager.B!DeepGuard Blocked File c:\windows\syswow64\windowspowershell\v1.0\powershell.exe 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
The detection is for blocking stagers from dropping or downloading their stage. So in usual cases, there should not be anything to clean except to delete or not to visit the document or website that triggered the detection.
If the detection is recurring, it might be a sign that there was a file-less persistence that got past our defenses or some script is running and doing that.
I will try to figure out if there is some log you can use to detect what initiates this detection.
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support and get answers to your questions