To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Is it normal for FSDIAG.exe to run wmic.exe, gpresult.exe, ipconfig.exe and schtask.exe

We got a High risk alert from EDR where FSDIAG.EXE (C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe) is running wmicm, gpresult, ipconfig and schtask exes.

Is this normal behaviour for FSDIAG.exe?

Answers

  • IT_Guy81
    IT_Guy81 W/ Member Posts: 4 Security Scout

    Here is the Commanfd line for FSDIAG.exe:


    "C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe" --filters "basic/*,firewall/*,gpo/*,network/*,win/*" --silent --out "C:\ProgramData\F-Secure\Upload\wsdiag.zip"

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 491 Moderator

    Hi @IT_Guy81 ,

    Thank you for reaching out to WithSecure Community. Sorry to hear that our tool is causing these alerts.

    I am checking with our product developer and shall get back to you.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 491 Moderator

    Hi @IT_Guy81 ,

    It's normal that it runs these tools.

    To whitelist these detections, you may try the following:

    1. Log in to the Elements Security Center at here.
    2. Select the Endpoint Detection and Response section in the leftmost navigation bar in Elements Security Center.
    3. Go to Broad Context Detections tab.
    4. Select the BCD ID that require whitelisting.
    5. Click "Update status" option at bottom page.
    6. Select "Closed" from drop down menu, then select reason as "False positive"
    7. Click "Update" option.

  • MartijnAVT
    MartijnAVT W/ Partner Posts: 3 Security Scout

    The FSdiag runs discovery commands and scripts to know the environment the endpoint is in, so this is not weird behavior. It's good that it does not trust fsdiag by default, since there are also antivirus vendors whos drivers for example are used for evasion. This way EDR can always check the behavior. Bummer if you run auto isolation on HIGH though 😁

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 491 Moderator

    Hi @IT_Guy81 tagging you for visibility with regards to @MartijnAVT comment.