To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

DeepGuard blocked a ScriptStager infection

LGT_Gabriele W/ Alumni Posts: 1 Security Scout


Today DeepGuard detected and blocked an infection with description "Exploit:W32/ScriptStager.B!DeepGuard" on one of my machine.

From PSB portal i have only wscript.exe without any other info, so i don't know where the infection came from.


2018-06-21 19_07_21-PSB1 Portal – F-Secure.png


Maybe it can be a false positive, but i need more information to judge if it's malicious or not.

There's a way to see a detailed log about DeepGuard detection?


Thanks in advance,



  • fedool
    fedool W/ Staff, W/ Article Coordinator Posts: 162 W/ Staff



    Deepguard does not log anything special by default which would help you to investigate this.

    You can try checking in Windows Events log special log "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may have more info about blocked app.


  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Dear Fedool,

    The FSAV alert quoted by the user includes the file's hash checksum as "2661e5f3562dd03c0ed21c33e2888e2fd1137d8c".


    This can be searched for on Virustotal webportal to see that the incident is likely a false alarm:

    F-Secure's virus lab can also fetch the particular binary sample from Virustotal's repository and provide the fix based on that, so there is no need for the end user to submit anything more!

    Yours Sincerely: Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

  • fedool
    fedool W/ Staff, W/ Article Coordinator Posts: 162 W/ Staff

    Virustotal result is for wscript.exe itself but DeepGuard does not block wscript as a file, it blocks it during execution because it detects some suspicious behavior.

    It's possible because wscript is used to run scripts and scripts can do suspicious things, like writing to system files or registry.

    Which exact set of operations triggered detection is unknown - we need to see executed script to check that.

This discussion has been closed.