DeepGuard detects wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, regsvr32, and excel.exe

Issue:

This article applies to the following WithSecure products: WithSecure Client Security, WithSecure Server Security, Elements EPP Computer Protection and Elements EPP Server Protection

I am getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe, and regsvr32.exe by DeepGuard. How can I fix this?

Resolution:

Mostly these detections come from DeepGuard (a basic part of WithSecure products which monitors applications to detect potentially harmful changes to the system). The following files are normally clean and each is a legitimate Microsoft file:

```
wscript.exe
ieexplorer.exe
winword.exe
explorer.exe
excel.exe
Regsvr32.exe
```
These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.

When it comes to the business products, in order to investigate further, contact WithSecure support and provide the following:

WSDIAG - You can refer to this KB article for instructions on how to create an WSDIAG log
Possible file or script that you were running when you receive the detection.

The following is an example case with Microsoft Excel, and how to find out the script which is causing the alert:

Alert shown in Policy Manager Server or Windows Event log:


DeepGuard blocked an exploit action.
Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File hash: 6490a5897c31e43393c0feba365a08611340867c

Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:


[...]
2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0
[...]

In this case, alert is caused because of this macro:


d:\\shared\\download\\samples\\macrotest.xlsm

AlertSenderPlugin.log is located here on clients with Client Security 16.x and Elements Endpoint Protection:


C:\ProgramData\F-Secure\Log\PSB\AlertSenderPlugin.log

If the scan does not indicate any harmful files or any suspicious application installed, contact WithSecure support for further assistance.

Article no: 000004495