DeepGuard Detecting CMD as Exploit
I have an issue with some PCs that CMD.exe process is showing as exploit, I have checked PCs but couldnt find any thing else different that other PCs. Details are below;
Details: DeepGuard blocked an exploit action. Application path: C:\Windows\SysWOW64\cmd.exe File hash: 4048488de6ba4bfef9edf103755519f1f762668f Detection: Exploit:W32/PowerShellStager.D!DeepGuard Rarity: Unknown Reputation: Unknown Process ID: 7476
Just want to be sure that if its FP, do you have any suggestions that how can I be sure ?
It is not CMD that is malicious, but something malicious running using CMD.
I would suggest to create a case with us so our Malware team can investigate further - https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample
Do include the below information:
1. Download Microsoft WMI Diagnosis Utility v2.2 tool from here.
2. Extract the executable on a specific directory and will contain the following files:
3. Run Command Prompt with elevated mode and set CSCRIPT as default script launcher.
4. On administrator CMD execute "WMIDiag.vbs"
5. After execution it will results log path at the end will show result directory. The log files is located in %TEMP%
6. Submit all related logs (starts with "WMIDIAG-V2.2_") (CSV, LOG, TXT) to us
7. To restore, set the wscript.
Cscript.exe //H:Wscript1 1Like
Thanks I've a customer that meet exactly the same issue.
The link for "1. Download Microsoft WMI Diagnosis Utility v2.2 tool from" seems to be broken.
So, I've made a log analysis with the agent EPP, and send it for analysis.
Did you received more information about this issues ?
Thanks a lot,
Hi Christopher and Cetil,
I had to check this for you. If WMI tool is not available, you may send us the FSDiag log.
Please create and send an FSDIAG file from the affected computer for us to analyze the logs. Please follow these steps to create the FSDIAG log file:
- Click Start.
- Select All Programs > (Your F-Secure product) > Support Tool. The Support Tool window is displayed.
- Click OK. The tool starts gathering information. It creates the output file on your desktop. The name of the archive file is fsdiag.tar.gz.2 2Like