F-Secure DeepGuard alarm and wscript.exe
Greetings,
we got a F-Secure DeepGuard alarm today.
The User told me he download a zip file with Google Chrome,
in which should be a word document.
He said he deleted the zip file an did not open
it. Attached some screenshots from F-Secure.
The question is, is it true that he did not open it?
Can F-Secure detect it without running something
or did the user run the file inside the zip? Was
the wscript.exe called by this or did F-Secure only
detect, that inside the zip there is something which wants
to call wscript.exe?
Is it possible that Chrome can run wscript.exe or a JavaScript JS file
that is calling wscript?
Best Regards
Ole
Answers
-
Hi Ole
Regarding this case, I suggest to submit a case and sample to our detection team
https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample
0 -
Hi Jamesch,
we don't have a sample, the download is already deleted
Is it possible to get informations from log files,
which file called wscript or wasn't it called only
a file was detected which.
Ole
0 -
Hi,
i could reconstruct the problem.
I used the Chrome DownloadMetadate file to find the downloaded zip.
I downloaded the file in a safe environement and decompressed it.
Inside there was a obfusicated js file, which calls wscript to load
a file from the internet and runs it.
The user has open the zip and clicked the js :-(
Ole
0 -
Hi Ole
Just to confirm - this is not a product nor detection issue, correct ?
0
