The correct answers are B and C .
The exhibit shows the event classification as Malicious . In FortiEDR, event classification can be performed by the Core and later updated by FortiEDR Cloud Service (FCS) . The guide states that the audit history shows the classification chronology and includes details when FCS reclassifies a security event after the Core’s initial classification. It also states that notifications can be based on either Core or FCS classification depending on whether FCS classification is received within the timeout period.
The exhibit also shows TestApplication.exe with Status: Running . That means the process was launched and is currently running on the endpoint. Therefore, C is correct.
Option A is wrong because the exhibit clearly shows Status: Unhandled , not Handled. The guide states that FortiEDR security events are initially marked as unread and unhandled, and users can later mark them handled through the incident handling workflow.
Option D is wrong because the exhibit shows rule indicators such as Invalid Checksum , Suspicious Packer , and Writable Code , but it does not prove that TestApplication.exe is “sophisticated malware.” FortiEDR classifies the event as malicious, but the guide’s Malicious classification means the event is verified to have malicious capability, is intended to harm the infected device, and has no commercially viable use; the exhibit alone does not justify the stronger claim “sophisticated malware.”
=========
