Issue:
This article applies to the following F-Secure products: F-Secure Client Security, F-Secure Server Security, Elements EPP Computer Protection, Elements EPP Server Protection
I am getting a detection for the following files: wscript.exe, ieexplorer.exe, winword.exe, explorer.exe, excel.exe, and regsvr32.exe by Deepguard. How can I fix this?
Resolution:
Mostly these detections come from DeepGuard (a basic part of WithSecure products which monitors applications to detect potentially harmful changes to the system). The following files are normally clean and each is a legitimate Microsoft file:
-
These legitimate Microsoft files are blocked by DeepGuard because a suspicious file, script or application is trying to run them.
wscript.exe
ieexplorer.exe
winword.exe
explorer.exe
excel.exe
Regsvr32.exe
- FSDIAG - You can refer to this article for instructions on how to create an FSDIAG log
- Possible file or script that you were running when you receive the detection.
Alert shown in Policy Manager Server or Windows Event log:
Locally on that machine, you can check the AlertSenderPlugin.log, which contains more detailed information about this:
DeepGuard blocked an exploit action.
Application path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File hash: 6490a5897c31e43393c0feba365a08611340867c
In this case, alert is caused because of this macro:
[...]
2019-09-20 09:38:30.426 [1004.2b68] I: ULAVMonitoring::callbackOnOASAlert: Got OAS alert with JSON: {"bookmark":"PEJvb2ttYXJrTGlzdD4NCiAgPEJvb2ttYXJrIENoYW5uZWw9J0ZTZWN1cmVVbHRyYWxpZ2h0U0RLJyBSZWNvcmRJZD0nMTIxNTknIElzQ3VycmVudD0ndHJ1ZScvPg0KPC9Cb29rbWFya0xpc3Q+","rl":"sp.evt.dg.block","rv":{"AskSample":0,"Detection":"Exploit:W32/OfficeExploitPayload.A!DeepGuard","Exploit":"d:\\shared\\download\\samples\\macrotest.xlsm","Hash":"6490a5897c31e43393c0feba365a08611340867c","Path":"C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE","ProcessID":17996,"Rarity":2,"Reason":10,"Reputation":1,"SessionID":1,"tickcount":2348045081145}}. Extra data size: 0
[...]
AlertSenderPlugin.log is located here on clients with Client Security 14.x and PSB Computer Protection:
d:\\shared\\download\\samples\\macrotest.xlsm
If the scan does not indicate any harmful files or any suspicious application installed, contact F-Secure support for further assistance.
C:\ProgramData\F-Secure\Log\PSB\AlertSenderPlugin.log
Article no: 000004495