DeepGuard Detecting CMD as Exploit

Hello all,

I have an issue with some PCs that CMD.exe process is showing as exploit, I have checked PCs but couldnt find any thing else different that other PCs. Details are below;

Details: DeepGuard blocked an exploit action. Application path: C:\Windows\SysWOW64\cmd.exe File hash: 4048488de6ba4bfef9edf103755519f1f762668f Detection: Exploit:W32/PowerShellStager.D!DeepGuard Rarity: Unknown Reputation: Unknown Process ID: 7476 

Just want to be sure that if its FP, do you have any suggestions that how can I be sure ?

Accepted Answer

  • Jamesch
    Jamesch Posts: 357 Moderator
    edited April 2022 Answer ✓


    It is not CMD that is malicious, but something malicious running using CMD.

    I would suggest to create a case with us so our Malware team can investigate further -

    Do include the below information:

    1. Download Microsoft WMI Diagnosis Utility v2.2 tool from here.

    2. Extract the executable on a specific directory and will contain the following files:





    3. Run Command Prompt with elevated mode and set CSCRIPT as default script launcher.

    Cscript.exe //H:Cscript

    4. On administrator CMD execute "WMIDiag.vbs"

    5. After execution it will results log path at the end will show result directory. The log files is located in %TEMP%

    6. Submit all related logs (starts with "WMIDIAG-V2.2_") (CSV, LOG, TXT) to us

    7. To restore, set the wscript.

    Cscript.exe //H:Wscript



  • Christopher_NEO
    Christopher_NEO Posts: 1 New Member


    Thanks I've a customer that meet exactly the same issue.

    The link for "1. Download Microsoft WMI Diagnosis Utility v2.2 tool from" seems to be broken.

    So, I've made a log analysis with the agent EPP, and send it for analysis.

    Did you received more information about this issues ?

    Thanks a lot,


  • cetil35
    cetil35 Posts: 7 Explorer

    Dear Jamesch, thanks a lot for your answer.

    But as Christopher_NEO mentional the links seems to be broken, and I couldnt find the updated one from Microsoft.

  • Jamesch
    Jamesch Posts: 357 Moderator

    Hi Christopher and Cetil,

    I had to check this for you. If WMI tool is not available, you may send us the FSDiag log.

    Please create and send an FSDIAG file from the affected computer for us to analyze the logs. Please follow these steps to create the FSDIAG log file:

    - Click Start.

    - Select All Programs > (Your F-Secure product) > Support Tool. The Support Tool window is displayed.

    - Click OK. The tool starts gathering information. It creates the output file on your desktop. The name of the archive file is fsdiag.tar.gz.

This discussion has been closed.