Is it normal for FSDIAG.exe to run wmic.exe, gpresult.exe, ipconfig.exe and schtask.exe

IT_Guy81

We got a High risk alert from EDR where FSDIAG.EXE (C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe) is running wmicm, gpresult, ipconfig and schtask exes.

Is this normal behaviour for FSDIAG.exe?

IT_Guy81

Here is the Commanfd line for FSDIAG.exe:

"C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe" --filters "basic/*,firewall/*,gpo/*,network/*,win/*" --silent --out "C:\ProgramData\F-Secure\Upload\wsdiag.zip"

JamesC

Hi @IT_Guy81 ,

Thank you for reaching out to WithSecure Community. Sorry to hear that our tool is causing these alerts.

I am checking with our product developer and shall get back to you.

JamesC

Hi @IT_Guy81 ,

It's normal that it runs these tools.

To whitelist these detections, you may try the following:

1. Log in to the Elements Security Center at here.
2. Select the Endpoint Detection and Response section in the leftmost navigation bar in Elements Security Center.
3. Go to Broad Context Detections tab.
4. Select the BCD ID that require whitelisting.
5. Click "Update status" option at bottom page.
6. Select "Closed" from drop down menu, then select reason as "False positive"
7. Click "Update" option.

MartijnAVT

The FSdiag runs discovery commands and scripts to know the environment the endpoint is in, so this is not weird behavior. It's good that it does not trust fsdiag by default, since there are also antivirus vendors whos drivers for example are used for evasion. This way EDR can always check the behavior. Bummer if you run auto isolation on HIGH though 😁

JamesC

Hi @IT_Guy81 tagging you for visibility with regards to @MartijnAVT comment.