| Description |
This article describes how and why it is possible to enable FortiEDR’s additional Execution Prevention security rules. |
| Scope | FortiEDR 5.0+. |
| Solution |
FortiEDR offers an Execution Prevention security policy, also referred to as pre-execution, and a number of associated security rules. Some of these security rules are disabled out of the box to minimize potential false positives.
The following rules can be reconfigured to enhance FortiEDR’s protection via FortiEDR Manager 5.2+ under SECURITY SETTINGS -> Security Events -> Security Policies -> Execution Prevention (SECURITY SETTINGS -> Security Policies in FortiEDR Manager 5.0.3).
1) Unconfirmed File Detected: A file that triggers this security rule is unconfirmed and has a low amount of characteristics used by malware. This has a low potential of being malware. 2) Suspicious File Detected: A file that triggers this security rule contains suspicious characteristics commonly used by malware. This has a low to the medium likelihood of being malware.
Both security rules will leverage Machine Learning and based on a malware likelihood score, trigger a security event. Both of these can help in the detection of unknown and zero-day malware. Here is an article Fortinet’s Managed Detection and Response (MDR) team compiled showing the benefits of the “Unconfirmed File Detected” security rule to detect unknown .NET malware.
It is important to note that enabling either security rule can result in false positives. As such, it is recommended to use the ‘Log’ action type initially to allow administrators to view and manage events without disrupting end-user productivity.
Once satisfied that enough security event exceptions are in place, the security rule(s) can be reconfigured to ‘block’ action mode. |
