I wanted to reach out an get some opinions. I am relatively new to EDR and I am wondering if there is ever a safe use of "any script" in an exception?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
In FortiEDR, you can link an alert to a playbook. This playbook operates as a Python script. There are several pre-built custom playbooks available within the panel. Additionally, you can obtain a remote shell through the agent to perform file transfers and execute scripts.
Playbook Actions: https://docs.fortinet.com/document/fortiedr/6.2.0/administration-guide/575440/playbook-policy-action...
I wouldn't recommend it for cmd, powershell, python scripts
since it means you can run any script which might be malicious.
Btw, lets assume powershell script blocked for suspicious script execution and you defined an exception. (it doesn't mean you will immediately get encrypted) keep in mind that script going to be blocked again if it matches with ransomware rule. since your first exception was for "Suspicious Script Execution" rule, not for "Ransomware" rule
However, still you will violate swiss cheese model which will be first hole
Each time a process matches with different security policy it will get blocked (if rule is enabled and set for block and there is not an exception defined)
I personally would not recommend 2 things
1- creating exception which only has "when created by explorer.exe" (This means whatever your client double clicks, it will give exception for triggered rule)
2- "any script with cmd, powershell, python"
If you necessarily need to give flexible exceptions, I would recommend you to seperate collector groups as Client - Server - Developer&IT
for wide exceptions you could give for developer or IT group only without choosing "all groups"
same time it will not allow for fat sedentary clients to run any script
Ceyhun Kıvanç Demir
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.