DeepGuard blocked a ScriptStager infection

Hi,

Today DeepGuard detected and blocked an infection with description "Exploit:W32/ScriptStager.B!DeepGuard" on one of my machine.

From PSB portal i have only wscript.exe without any other info, so i don't know where the infection came from.

2018-06-21 19_07_21-PSB1 Portal – F-Secure.png

Maybe it can be a false positive, but i need more information to judge if it's malicious or not.

There's a way to see a detailed log about DeepGuard detection?

Thanks in advance,

Gabriele.

Find more posts tagged with

Comments

fedool

Virustotal result is for wscript.exe itself but DeepGuard does not block wscript as a file, it blocks it during execution because it detects some suspicious behavior.

It's possible because wscript is used to run scripts and scripts can do suspicious things, like writing to system files or registry.

Which exact set of operations triggered detection is unknown - we need to see executed script to check that.

etomcat

Dear Fedool,

The FSAV alert quoted by the user includes the file's hash checksum as "2661e5f3562dd03c0ed21c33e2888e2fd1137d8c".

This can be searched for on Virustotal webportal to see that the incident is likely a false alarm:
https://www.virustotal.com/#/file/62a95c926c8513c9f3acf65a5b33cbb88174555e2759c1b52dd6629f743a59ed/detection

F-Secure's virus lab can also fetch the particular binary sample from Virustotal's repository and provide the fix based on that, so there is no need for the end user to submit anything more!

Yours Sincerely: Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

fedool

Hello,

Deepguard does not log anything special by default which would help you to investigate this.

You can try checking in Windows Events log special log "FSecureUltralightSDK" under "Application and Services logs/F-Secure Ultralight SDK" - it may have more info about blocked app.