Modified Executable - Connection from an In-Memory Modified Executable
Recently i have started to receive logs with "Modified Executable - Connection from an In-Memory Modified Executable" rule. I did not manage to find information about this rule on the internet but still want to understand what this event means, which behaviour triggers this rule, is this something malicious or i shouldnt worry about it at all?
The log indicates a potential security event involving a modified executable in memory attempting a connection. The process involved, rooksbas.dll, is associated with Trusteer Rapport, a legitimate security software. The system classified the event as "Likely Safe" with medium severity, and the connection attempt was blocked. The destination IP relates to Microsoft. Given these details, this event might be a false positive triggered by Trusteer Rapport's behavior or updates. However, it's advisable to verify the software's source, consult with FortiEDR support, and continuously monitor for similar logs to ensure system integrity.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.