In-house applications, which are software programs that are developed and used internally within an organization, rather than being purchased from an external vendor, are wrongly classified as keyloggers.

FortiEDR may classify some internal applications as keyloggers due to specific behaviors or characteristics that match known keylogger patterns. Here are the details:

Behavioral Analysis:

FortiEDR uses behavioral analysis to detect potential threats. If an application exhibits behavior similar to known keyloggers, such as capturing keystrokes or accessing clipboard data, it may be flagged.

Registry Modifications:

Applications that create autorun registry entries or modify registry keys to ensure persistence, similar to keyloggers, can be classified as suspicious. For example, creating entries in 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.

File Activity:

If an application writes to files in a manner consistent with keylogging activity, such as logging keystrokes to a file, it may be flagged. For instance, writing logs to a specific directory like 'AppData\Roaming'.

Use of Specific Functions:

The use of certain functions, such as 'MapVirtualKey' within 'user32.dll', which are often used to set up keylogger functionality, can trigger detection.

Machine Learning:

FortiEDR employs machine learning to assess the likelihood of an application being malicious. If an application has a high likelihood of being a keylogger based on its behavior and characteristics, it may be classified as such.

These detection mechanisms help FortiEDR identify and mitigate potential threats, even if the application is internal or previously unknown.