Skip to main content
StephanG
StephanG
New Member
August 4, 2025
Question

FCDBLog.exe - creating and modifying hosts file

  • August 4, 2025
  • 2 replies
  • 624 views

We recently observed a concerning event on one of our endpoints involving the FortiClient Logging Daemon (FCDBLog.exe).

While FortiClient is a trusted security solution in our environment, we are puzzled by this behavior. Typically, security tools monitor the hosts file for unauthorized changes—not modify it directly. The involvement of a scheduled task and the elevated privileges make this worth investigating further.

Key Details:

  • Process: fcdblog.exe (FortiClient Logging Daemon v7.4.3.1790)
  • Parent Process: scheduler.exe
  • Account: SYSTEM / NT AUTHORITY
  • Command Line: FCDBLog.exe -s FC_{GUID}_000011

Questions:

  1. Is this behavior expected in certain FortiClient configurations?
  2. Could this be part of a diagnostic or telemetry routine?
  3. Are there known cases where FortiClient modifies the hosts file intentionally?
  4. What steps can we take to verify the legitimacy of this action?

Thanks in advance for your help

BR

Stephan

2 replies

sharmar
Staff & Editor
sharmar
Staff & Editor
August 4, 2025

Hello @StephanG 

 

FCDBLog.exe is the FortiClient Logging Daemon, are you sending any logs from the FCT to FAZ/Syslog or debug is enabled ?

 

StephanG
StephanGAuthor
New Member
August 5, 2025

We have the "free" version of FortiClient - i am unsure if this is even an option :) But we do not send logs to FAZ or syslog servers.
Debug is not enabled. I cannot see any past incidents that on these clients we have enabled debug.

I have hunted for this behavior with Defender for Endpoint and this only affects 27 of about 410 active VPN users.

Terms & ConditionsAccessibility statement