| Description | This article describes how to scope an exception before adding it. |
| Scope |
Applies to both On-prem and Cloud FortiEDR deployments. |
| Solution |
Consider a scenario where a process is blocked by Execution Prevention module with no socket connect to any destination (Internal or External).
An exception is added with a parameter as 'Internal Destination' like below:
A new event for same process is still blocked. But why?
The reason for the process or application block in such scenario is because when 'Internal Destinations' or an explicitly defined 'IP list' is used in the exception then the system checks if there is an IP or not. If there is no IP seen in the events metadata then the system marks it as false and keeps blocking the process despite having exception.
Note: Before adding an exception, it’s important to define the scope of the exception by Investigating the event. For more information refer to this article.
If there are still any problems encountered, open a new technical support ticket for further assistance: Support Fortinet. |
