Fortinet black logo

Administration Guide

Remediating a Device Upon Malware Detection

Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:288187
Download PDF

Remediating a Device Upon Malware Detection

After malware is detected on a device, you can use one of the following methods to remediate the situation in the FortiEDR system:

Method

Description

Terminate the Process This method does not guarantee that the affected process will not attempt to execute again.
Delete the Affected File from the Computer This method ensures that the file does not attempt to exfiltrate data again, as the file is permanently removed from the device. When using this method, be careful not to delete files that are important to the system, in order to protect system stability.
Remove or Modify the Registry Key

This method removes a registry key or updates a registry key’s value. This method changes malicious registry key modifications by removing newly created keys or returning key values to their original form.

Note – Some malware have persistency capabilities, which makes the infection appear again. In addition, in some rare cases, malware can cause the system to crash if you try to remove them.

Both of these methods can be performed using the Forensics add-on.

To remediate a device on which malware was detected:
  1. Select the security event(s) to analyze using one of the following methods described onEvent Viewer
  2. In the Raw Events area, select the relevant process. Use the various forensic tools provided by FortiEDR to determine the process of interest.

    After selecting the process of interest, the bottom pane of the window displays the list of files associated with that process.

  3. Check the checkbox of the relevant file and then click the button. The following window displays:

  4. Do one of the following:
    1. Check the Terminate process checkbox to terminate the selected process. A warning message displays.

      Click Terminate process to terminate the selected process.

    2. Check the Remove selected executable file checkbox to delete the specified file from the device. A warning message displays.

      Click Delete file to remove the selected file.

    3. Check the Delete file at path checkbox. In the adjacent field, enter the file path on the device that contains the file to be removed.

      A warning message displays.

      Click Delete file to remove the file from the specified path.

    4. Check the Handle persistent data (registry) checkbox to clean the registry keys in Windows. In the adjacent field, enter the value of the registry key to be removed or modified.

      Value data should be provided in the required format, based on the value type selected in the dropdown list, as follows:

      • String for types REG_SZ(1), REG_EXPAND_SZ(2), REG_DWORD(4) and REG_QWORD(11).
      • Base64 for types REG_BINARY(3), REG_DWORD_BIG_ENDIAN(5), REG_LINK(6), REG_MULTI_SZ(7), REG_RESOURCE_LIST(8), REG_FULL_RESOURCE_DESCRIPTOR(9) and REG_RESOURCE_REQUIREMENTS_LIST(10).

      Select the Remove key radio button to remove the registry key value.

      Select the Modify registry value radio button to change the current registry key value. When selecting this option, you must also specify the new value for the registry key in the gray box and the key’s value type in the adjacent dropdown menu (for example, string, binary and so on).

  5. Click the Remediate button.

Remediating a Device Upon Malware Detection

After malware is detected on a device, you can use one of the following methods to remediate the situation in the FortiEDR system:

Method

Description

Terminate the Process This method does not guarantee that the affected process will not attempt to execute again.
Delete the Affected File from the Computer This method ensures that the file does not attempt to exfiltrate data again, as the file is permanently removed from the device. When using this method, be careful not to delete files that are important to the system, in order to protect system stability.
Remove or Modify the Registry Key

This method removes a registry key or updates a registry key’s value. This method changes malicious registry key modifications by removing newly created keys or returning key values to their original form.

Note – Some malware have persistency capabilities, which makes the infection appear again. In addition, in some rare cases, malware can cause the system to crash if you try to remove them.

Both of these methods can be performed using the Forensics add-on.

To remediate a device on which malware was detected:
  1. Select the security event(s) to analyze using one of the following methods described onEvent Viewer
  2. In the Raw Events area, select the relevant process. Use the various forensic tools provided by FortiEDR to determine the process of interest.

    After selecting the process of interest, the bottom pane of the window displays the list of files associated with that process.

  3. Check the checkbox of the relevant file and then click the button. The following window displays:

  4. Do one of the following:
    1. Check the Terminate process checkbox to terminate the selected process. A warning message displays.

      Click Terminate process to terminate the selected process.

    2. Check the Remove selected executable file checkbox to delete the specified file from the device. A warning message displays.

      Click Delete file to remove the selected file.

    3. Check the Delete file at path checkbox. In the adjacent field, enter the file path on the device that contains the file to be removed.

      A warning message displays.

      Click Delete file to remove the file from the specified path.

    4. Check the Handle persistent data (registry) checkbox to clean the registry keys in Windows. In the adjacent field, enter the value of the registry key to be removed or modified.

      Value data should be provided in the required format, based on the value type selected in the dropdown list, as follows:

      • String for types REG_SZ(1), REG_EXPAND_SZ(2), REG_DWORD(4) and REG_QWORD(11).
      • Base64 for types REG_BINARY(3), REG_DWORD_BIG_ENDIAN(5), REG_LINK(6), REG_MULTI_SZ(7), REG_RESOURCE_LIST(8), REG_FULL_RESOURCE_DESCRIPTOR(9) and REG_RESOURCE_REQUIREMENTS_LIST(10).

      Select the Remove key radio button to remove the registry key value.

      Select the Modify registry value radio button to change the current registry key value. When selecting this option, you must also specify the new value for the registry key in the gray box and the key’s value type in the adjacent dropdown menu (for example, string, binary and so on).

  5. Click the Remediate button.