FortiSense
Log inCreate account
← BlogRSS

A realistic example of suspicious activity antivirus often ignores

17/01/2026·FortiSense·
endpoint detectionantivirus blind spotssuspicious activityprocess behaviourPowerShellexecution pathssecurity context

Most real security incidents don’t start with a loud alert.

They start quietly, with something that could be normal… or could be the first sign of trouble.

Let’s walk through a realistic example.

No malware samples.
No red-team theatrics.
Just something that happens on real machines every day.

The scenario: a normal Windows machine

Imagine a Windows 11 desktop or laptop used for everyday work.

  • Antivirus is enabled (Defender, Norton, etc.)

  • System is up to date

  • User installs software occasionally

  • Nothing obviously malicious has happened

This is a very normal environment.

Step 1: A legitimate installer runs

The user installs a common application, say a code editor or utility.

During installation:

  • An installer executable runs

  • Temporary files are extracted

  • Child processes are launched

This is expected behaviour.

Antivirus is happy.

Step 2: A process runs from a temporary folder

As part of the install, a process runs from a path like:

C:\Users\Dean\AppData\Local\Temp\is-RB20M.tmp\

The filename looks long and random.
The path is user-writable.
The process name isn’t something the user recognises.

Still, this happens all the time during installs.

What antivirus sees

  • File hash not known to be malicious

  • No exploit behaviour

  • No obvious payload

So antivirus does nothing.

And that’s reasonable.

Step 3: PowerShell is launched

Shortly after, PowerShell starts.

It’s:

  • A legitimate Windows binary

  • Located in System32

  • Frequently used by installers and tools

Again, antivirus stays quiet.

Nothing here is definitively malicious.

Why antivirus ignores this (and why that’s not wrong)

Traditional antivirus is designed to answer one main question:

“Is this file known to be bad?”

In this scenario:

  • The files are legitimate

  • The binaries are trusted

  • There’s no signature match

From an AV point of view, there’s nothing to block.

And blocking it could cause false positives and break installs.

The problem: context is missing

What antivirus doesn’t surface is context.

Questions like:

  • Why did this process run from a temporary directory?

  • What launched it?

  • Is this normal for this device?

  • Has this pattern been seen here before?

That’s where blind spots appear.

What FortiSense surfaces instead

FortiSense doesn’t immediately say “this is malware”.

Instead, it surfaces explainable signals.

For example:

  • A legitimate binary running from a temporary directory

  • A parent–child process chain showing how it started

  • Whether this behaviour has been seen on this device before

  • Why the activity is considered unusual

The alert doesn’t say “danger”.
It says “this is worth looking at”, and explains why.

What the user actually sees

Instead of a vague warning, the user sees:

  • What ran: the exact process name

  • Where it ran from: a temp directory

  • How it started: the parent process

  • Why it scored risk: unusual execution path

All in plain language.

No reverse engineering required.

Step 4: The user makes a decision

At this point, the user can decide:

  • “Yes, this was a legitimate install, ignore it going forward.”

  • “This shouldn’t be happening, quarantine it.”

The tool doesn’t force an action.
It gives enough context to make a confident choice.

Over time, false positives are reduced because:

  • Trusted patterns are learned

  • Noise is explicitly suppressed

  • Only genuinely unusual behaviour stands out

Why this matters in the real world

Many real attacks start by:

  • Using legitimate binaries

  • Running from writable locations

  • Blending into normal system activity

They don’t trip antivirus immediately, and sometimes never do.

The goal isn’t to panic on every anomaly.
It’s to surface the early signals that are otherwise invisible.

FortiSense’s role

FortiSense exists to answer a different question than antivirus:

“Is this behaviour normal for this system, and if not, why?”

It’s not trying to replace AV.
It’s not trying to be a full EDR.

It’s there to give you early, explainable visibility, before things escalate.

Closing thought

Most suspicious activity doesn’t look suspicious at first glance.

That’s why context matters.

FortiSense doesn’t shout.
It explains.

And that difference is often what turns “nothing to see here” into “glad we caught that early.”

Want early access?

Join Founders Access for beta features and direct support during development.

Learn more →