Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jaime_yvw
New Contributor

FortiClient and FortiEDR detection inconsistencies

Hi Everyone,

 

Our company is running FortiEDR and FortiClient.  FortiEDR detected AsyncRAT and WGZ!tr on one of the workstations.   In FortiEDR, the device was moved to the High-Security Collector Group with the protection enabled. However, the vulnerability scan using FortiClient Endpoint did not detect the AsycRAT and WGZ!tr. 

 

What can cause these inconsistencies and how do we resolve this?   Thanks for your responses.

1 Solution
btan
Staff
Staff

Hi Jaime,

FortiClient (FCT) and EDR works differently in scanning, which can be one of the reason.

 

FCT needs to get virus signature from FortiGuard, and EDR works by sending the details to Aggregator to process. Cloud service by EDR is usually kept up to date, but this may not be the case for FCT. The endpoint FCT by default attempt to get updates from FortiGuard every hour, if for whatever reason if it kept failing, we will have to look at it.

You can perform a search about the virus/malware in fortiguard.com, there are many variations of AsyncRAT and WGZ!tr.
For example, this https://www.fortiguard.com/encyclopedia/virus/10147915 is covered in EDR, is covered in FCT but only when there is extended signature database.

Regards,
Bon

View solution in original post

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello jaime,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello jaime,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
btan
Staff
Staff

Hi Jaime,

FortiClient (FCT) and EDR works differently in scanning, which can be one of the reason.

 

FCT needs to get virus signature from FortiGuard, and EDR works by sending the details to Aggregator to process. Cloud service by EDR is usually kept up to date, but this may not be the case for FCT. The endpoint FCT by default attempt to get updates from FortiGuard every hour, if for whatever reason if it kept failing, we will have to look at it.

You can perform a search about the virus/malware in fortiguard.com, there are many variations of AsyncRAT and WGZ!tr.
For example, this https://www.fortiguard.com/encyclopedia/virus/10147915 is covered in EDR, is covered in FCT but only when there is extended signature database.

Regards,
Bon
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors