DeepGuard blocked a ScriptStager infection


Today DeepGuard detected and blocked an infection with description "Exploit:W32/ScriptStager.B!DeepGuard" on one of my machine.

From PSB portal i have only wscript.exe without any other info, so i don't know where the infection came from.


2018-06-21 19_07_21-PSB1 Portal – F-Secure.png


Maybe it can be a false positive, but i need more information to judge if it's malicious or not.

There's a way to see a detailed log about DeepGuard detection?


Thanks in advance,



  • fedool
    fedool Posts: 162 WithSecure Employee



    Deepguard does not log anything special by default which would help you to investigate this.

    You can try checking in Windows Events log special log "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may have more info about blocked app.


  • etomcat
    etomcat Posts: 1,172 Forum Champion

    Dear Fedool,

    The FSAV alert quoted by the user includes the file's hash checksum as "2661e5f3562dd03c0ed21c33e2888e2fd1137d8c".


    This can be searched for on Virustotal webportal to see that the incident is likely a false alarm:

    F-Secure's virus lab can also fetch the particular binary sample from Virustotal's repository and provide the fix based on that, so there is no need for the end user to submit anything more!

    Yours Sincerely: Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

  • fedool
    fedool Posts: 162 WithSecure Employee

    Virustotal result is for wscript.exe itself but DeepGuard does not block wscript as a file, it blocks it during execution because it detects some suspicious behavior.

    It's possible because wscript is used to run scripts and scripts can do suspicious things, like writing to system files or registry.

    Which exact set of operations triggered detection is unknown - we need to see executed script to check that.

This discussion has been closed.