Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Modified Executable - Connection from an In-Memory Modified Executable

Hello everyone

Recently i have started to receive logs with "Modified Executable - Connection from an In-Memory Modified Executable" rule. I did not manage to find information about this rule on the internet but still want to understand what this event means, which behaviour triggers this rule, is this something malicious or i shouldnt worry about it at all?

Here is full log:

<133>1 2023-09-25T10:42:01.000Z FortiEDR - - - Message Type: Security Event;Organization: ;Organization ID: ;Event ID: 33649969;Raw Data ID: 1932815690;Device Name: ;Device State: Running;Operating System: Windows 10 Pro;Process Name: rooksbas.dll;Process Path: \Device\HarddiskVolume3\Program Files (x86)\Trusteer\Rapport\bin\rooksbas.dll;Process Type: 32bit;Severity: Medium;Classification: Likely Safe;Destination:;First Seen: 22-Sep-2023, 18:26:21;Last Seen: 25-Sep-2023, 12:42:01;Action: Blocked;Count: 92;Certificate: yes;Rules List: Modified Executable - Connection from an In-Memory Modified Executable;Users: N/A;MAC Address: 75-EE-34-CB-21-E1;Script: N/A;Script Path: N/A;Autonomous System: 8075 MICROSOFT-CORP-MSN-AS-BLOCK;Country: Netherlands;Process Hash: 13FC7A6CE7B1AEAB65E46E0BC245F9DB88B57B17;Source IP:;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: N/A;Target: \Device\HarddiskVolume3\Windows\System32\drivers\msseccore.sys, \Device\HarddiskVolume3\Windows\System32\wininit.exe, \Device\HarddiskVolume3\Windows\System32\smss.exe, \Device\HarddiskVolume3\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe, \Device\HarddiskVolume3\Windows\System32\services.exe;Command line: 000000cc 00000088 ;Remote Connection: N/A


The log indicates a potential security event involving a modified executable in memory attempting a connection. The process involved, rooksbas.dll, is associated with Trusteer Rapport, a legitimate security software. The system classified the event as "Likely Safe" with medium severity, and the connection attempt was blocked. The destination IP relates to Microsoft. Given these details, this event might be a false positive triggered by Trusteer Rapport's behavior or updates. However, it's advisable to verify the software's source, consult with FortiEDR support, and continuously monitor for similar logs to ensure system integrity.

Siddhanth Poojary

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors