Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide
5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Exclusion Manager

Exclusion Manager

The Exclusion Manager enables you to define which processes or files are excluded from Security Policies monitoring. Two types of exclusions can be defined in the Exclusion Manager:

  • Process Exclusions: This type of exclusion specifies that FortiEDR does not inspect the actions that are performed by specific processes, so that these processes do not trigger security events. The processes that are excluded are identified by the attributes of the processes, according to your definitions.

    There may be various reasons for excluding a process in this manner. For example, when a process’s performance/functionality is affected by FortiEDR’s inspection, but the customer knows that this process is good/safe (this example is relevant, even when the process does not trigger security events). Therefore, in this case, the exclusion will specify that FortiEDR no longer inspects the specified processes.

    Please note that adding this type of exclusion excludes this process from being monitored by all FortiEDR features and all activities of this process are ignored.

  • Execution Prevention Exclusions: The Execution Prevention policy inspects/scans files and then blocks their execution if they are identified as malicious or suspected to be malicious. Execution Prevention Exclusions specify that FortiEDR does not apply the Execution Prevention policy inspection, which analyzes files in order to find evidence of malicious activity, as described in Security Settings. The files that are excluded are identified by the attributes of the files that are the target of the Execution Prevention actions, according to your definitions.
To manage exclusions:

Select SECURITY SETTINGS > Security Events > Exclusion Manager. The following window displays, showing the list of previously created exclusions:

The list of exclusions in the Collection Exclusions page contains the following columns:

Column

Description
Checkbox Enables you to select multiple rows.
Icon

Represents the type of exclusion

  • - Process

  • - Execution Prevention
SOURCE ATTRIBUTES Specifies the attributes that were defined in order to identify the Process/File, as described in Defining exclusions
OS Specifies the operating system to which theis exclusion applies. Currently, only Windows is supported.
LAST UPDATED Specifies when this exclusion was last updated and by whom.
STATE Specifies whether this exclusion is enabled or disabled.
Edit and delete excursion tools.

The following actions can be performed in the Collection Exclusions page:

Previous
Next

Exclusion Manager

The Exclusion Manager enables you to define which processes or files are excluded from Security Policies monitoring. Two types of exclusions can be defined in the Exclusion Manager:

  • Process Exclusions: This type of exclusion specifies that FortiEDR does not inspect the actions that are performed by specific processes, so that these processes do not trigger security events. The processes that are excluded are identified by the attributes of the processes, according to your definitions.

    There may be various reasons for excluding a process in this manner. For example, when a process’s performance/functionality is affected by FortiEDR’s inspection, but the customer knows that this process is good/safe (this example is relevant, even when the process does not trigger security events). Therefore, in this case, the exclusion will specify that FortiEDR no longer inspects the specified processes.

    Please note that adding this type of exclusion excludes this process from being monitored by all FortiEDR features and all activities of this process are ignored.

  • Execution Prevention Exclusions: The Execution Prevention policy inspects/scans files and then blocks their execution if they are identified as malicious or suspected to be malicious. Execution Prevention Exclusions specify that FortiEDR does not apply the Execution Prevention policy inspection, which analyzes files in order to find evidence of malicious activity, as described in Security Settings. The files that are excluded are identified by the attributes of the files that are the target of the Execution Prevention actions, according to your definitions.
To manage exclusions:

Select SECURITY SETTINGS > Security Events > Exclusion Manager. The following window displays, showing the list of previously created exclusions:

The list of exclusions in the Collection Exclusions page contains the following columns:

Column

Description
Checkbox Enables you to select multiple rows.
Icon

Represents the type of exclusion

  • - Process

  • - Execution Prevention
SOURCE ATTRIBUTES Specifies the attributes that were defined in order to identify the Process/File, as described in Defining exclusions
OS Specifies the operating system to which theis exclusion applies. Currently, only Windows is supported.
LAST UPDATED Specifies when this exclusion was last updated and by whom.
STATE Specifies whether this exclusion is enabled or disabled.
Edit and delete excursion tools.

The following actions can be performed in the Collection Exclusions page:

Previous
Next