Out-of-the-box Policies

FortiEDR provides the following out-of-the-box policies:

• Execution Prevention: This policy blocks the execution of files that are identified as malicious or suspected to be malicious. For this policy, each file is analyzed to find evidence for malicious activity. One of the following rules is triggered, based on the analysis result:

  • Most Likely a Malicious File: A Malicious File Execution rule is triggered with a critical severity. By default, the file is blocked.

  • Probably a Malicious File: A Suspicious File Execution rule is triggered with a high severity. By default, the file is blocked.

  • Show Evidence of Malicious File: An Unresolved file rule is triggered with a medium severity. By default, the file is logged, but is not blocked.

• Exfiltration Prevention: This policy enables FortiEDR to distinguish which connection establishment requests are malicious ones.
• Ransomware Prevention: This policy enables FortiEDR to detect and block malware that prevents or limits users from accessing their own system.
• Application Control: This policy enables FortiEDR to block user-defined applications from running, so that they do not launch. Blocklist management is done on the Application Control Manager page, see page 57 for more details.
• Device Control: This policy enables FortiEDR to detect and block the usage of USB devices, such as USB mass storage devices. In this policy, detection is based on the device type. This feature is a license-dependent and requires the Vulnerability Management add-on (meaning License Type that is either Discover and Protect or Discover, Protect and Response.
• eXtended Detection Policy: This policy provides visibility into data across multiple security systems and identifies abnormal or malicious activity by applying analytics and correlating data from various systems. This policy requires that you configure an XDR source connector in the ADMINISTRATION > INTEGRATIONS section. This feature is a license-dependent add-on. You may contact Fortinet Support for more information.

  Note: The Extended Detection policy provides detection features (meaning that events are logged and displayed in the Event Viewer). No blocking options are provided. The exceptions and forensics options are not available in the Event Viewer for security events triggered by the Extended Detection policy.

• Note: You will receive one or all policies, depending on your FortiEDR license.

FortiEDR security policies come with multiple highly intelligent rules that enforce them.

The Exfiltration Prevention, Ransomware Prevention, Application Control, Device Control, Execution Prevention and eXtended Detection security policies can run simultaneously.

When multiple security policies are used, they do not generate duplicate security events: Exfiltration Prevention rule violation is detected when there is a connection establishment attempt. Ransomware rule violation is detected when there is an attempt to lock files or access their data (for example, by encrypting the data). Execution Prevention rule violation is detected when a malicious file is being executed by the user or by the operation system. Device Control rule violation is detected when there is an attempt to use a USB device, such as a mass storage device. It is supported on Windows devices only. Application Control rule violation is detected when there is an execution attempt of an application that is included in the blocklist. An Extended Detection rule violation is detected when malicious activity is identified across network, endpoints and cloud. Thus, these security policies detect rule violations at different places and points in time in the operating system. Device control and Application Control security events are displayed under dedicated Device Control or Application Control filters in the Events page and are not listed as part of the All filter.