Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
kmikhaylov
Staff
Staff

Created on ‎06-12-2023 05:03 AM Edited on ‎09-20-2023 12:24 AM By Community Manager

Article Id 259897

Technical Tip: FortiEDR exclusions setup

Description This article describes how to setup FortiEDR exclusions.
Scope FortiEDR version 5.2 and above.
Solution

Exclusions functionality requires Manager and Collector version 5.2 and above.

 

FortiEDR security policies can be divided into 2 groups: pre-execution and post-execution.

 

Pre-execution group includes execution prevention policy: policy blocks the execution of files that are identified as malicious or suspected to be malicious. For this policy, each file is analyzed to find evidence for malicious activity. 

I.e. user tries to execute a known malicious file. Execution of the file is blocked by execution prevention policy.
In order to exclude files from scanning with execution prevention policies setup 'execution prevention' exclusion which will exclude files/directories from Execution Prevention (NGAV) scanning:

 

exec.png

 

Post-execution policies scan processes behavior:

  • Exfiltration Prevention: policy enables FortiEDR to distinguish which connection establishment requests are malicious ones.
  • Ransomware Prevention: policy enables FortiEDR to detect and block malware that prevents or limits users from accessing their own system.
    I.e. user executes file. The file starts the process, which tries to encrypt system files. FortiEDR scans the behavior of the process with the specified above security policies and blocks malicious behavior.
    In order to exclude a process from scanning setup "Process" exclusion. Process exclusions are based on parent file hash or file name/path/signer: 

 

process.png

 

In order to fully exclude files and process the file populates from scanning setup two exclusions:

  1.  Process exclusion.
  2.  Execution prevention exclusion.

In the example below exclusions for both file 'legitimate_file.exe' and process, populated by 'legitimate_file.exe' execution are set:

 

legitimate_software.png

Note:

In the examples below following directory structure will be used: folder 'legitimate_software' with 2 files (content1/2.exe) and 2 subfolders (subfolder1/2) inside:

 

structure.png

  

In order to exclude the content of the specific folder from analysis, the path has to be specified in the following way: *\folder\.

In the example below content1.exe and content2.exe under '\legitimate_software\' are excluded from analysis with both pre-execution and post-execution security policies:

 

path_legit_soft.png

 

Note:

variables like %path% are not supported and have to be substituted with an asterisk. I.e. %SystemRoot%\System32\ must be specified as *\System32\

 

In order to exclude subfolders and content inside subfolders from analysis, the path has to be specified in the following way: *\folder\*

In the example below subfolder1 and subfolder2 under '\legitimate_software\' folder with subfolders' content are excluded from analysis with both pre-execution and post-execution security policies:

 

subfolders.png

 

In order to exclude both the content of the specific folder and subfolders with subfolders' content previous 2 examples must be combined:

  • *\folder\
  • *\folder\*

In the example below subfolder1 and subfolder2 under '\legitimate_software\' folder with subfolders' content, the content of '\legitimate_software\' are excluded from analysis with both pre-execution and post-execution security policies:

 

combined.png
2937
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.