We got a High risk alert from EDR where FSDIAG.EXE (C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe) is running wmicm, gpresult, ipconfig and schtask exes.
Is this normal behaviour for FSDIAG.exe?
Hi @IT_Guy81 tagging you for visibility with regards to @MartijnAVT comment.
The FSdiag runs discovery commands and scripts to know the environment the endpoint is in, so this is not weird behavior. It's good that it does not trust fsdiag by default, since there are also antivirus vendors whos drivers for example are used for evasion. This way EDR can always check the behavior. Bummer if you run auto isolation on HIGH though 😁
Hi @IT_Guy81 ,
It's normal that it runs these tools.
To whitelist these detections, you may try the following:
Thank you for reaching out to WithSecure Community. Sorry to hear that our tool is causing these alerts.
I am checking with our product developer and shall get back to you.
Here is the Commanfd line for FSDIAG.exe:
"C:\Program Files (x86)\F-Secure\PSB\diagnostics\fsdiag.exe" --filters "basic/*,firewall/*,gpo/*,network/*,win/*" --silent --out "C:\ProgramData\F-Secure\Upload\wsdiag.zip"