Technical Tip: FortiEDR - EICAR test file detection

FortiEDR is capable of detecting signature-based malware or files that are marked as malicious on our database.

As EDR, and different then a traditional AV, we do not scan HDDs constantly but instead rely on behavior analysis and pre-execution detections.

To detect EICAR, the first thing that needs to be checked is the policies under Execution Prevention:

Execution Prevention - Suspicious file Detected and Unconfirmed file detected should be Enabled.

These two policies must be activated and collectors are assigned to the correct Security Policies.

Second, assign the collector at least the default THR inventory profile so we can also take advantage of Inventory Scanning.

Then, try copy-pasting the malicious file to the host.

 Steps to reproduce:

1. Connect the collector to the Manager
2. Disable Windows Defender on Collector
3. Copy the EICAR file from https://www.eicar.org/download-anti-malware-testfile/ to the Collector machine
4. Run AV Scan on Manager for this Collector

Expected results:

1. Copying of file should fail
2. AV Scan should find the file and trigger the event

Actual results:

The security event is triggered only when executing the file on the Collector

**Manager content should be  at least 12100 and up