Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Luke_FTNT
Staff
Staff

Created on ‎03-25-2024 07:33 AM

Article Id 306446

Technical Tip: Advanced Log Gathering for Device Control Interoperability Issues

Description This article describes how to gather additional, advanced logs for troubleshooting Device Control issues.
Scope FortiEDR Windows Collector v4.0+.
Solution

FortiEDR Windows Collector offers the Device Control feature, a tool that allows security administrators to block or allow specific types of USB devices that otherwise could be used by threat actors to transfer malicious payloads onto the device or exfiltrate data off the device.

 

In some very rare circumstances, USB devices can fail to load when connected to the machine. This can boil down to a few reasons and requires verbose logs to troubleshoot efficiently. The following steps should be taken on the endpoint to collect advanced logs:

 

  1. Export a list of CIM Logical Devices using the command while the device is connected, even if it is in an error state: 'wmic path CIM_LogicalDevice where "Description like 'USB%'" | convertTo-Json'. It is possible to direct the output into a text file also, such as 'wmic path CIM_LogicalDevice where "Description like 'USB%'" | convertTo-Json > output.txt'.

  2. Export a list of the Registry's current control set using the command:

    Invoke-Command {reg export 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class' C:\Users\REPLACE-USER-NAME-HERE\Desktop\output.reg}

    This should be performed when the USB device is connected.

  3. Enable verbose logging on FortiEDR Collector. This will require the following steps:
    1. Stop the Collector service using the command 'C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe' --stop.
    2. Open the Notepad as administrator and open the file 'C:\ProgramData\FortiEDR\Config\Collector\CollectorBootstrap.jsn'.
    3. Scroll down to the value 'WriteAllEventsToLog' and change its value from 'false' to 'true'.
    4. Scroll down to the 'DCM' value, change its value from 'error' to 'debug', and save the file changes.
    5. Restart the Collector service: 'C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe --start'.
    6. Connect and disconnect the USB device at least a handful of times over ten minutes. If the issue persists, export the Collector logs and upload them to Fortinet TAC via a FortiCare support ticket. Note that step 3 should be reverted after this stage to avoid excessive logging.
96
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.