Fortinet black logo

XML Reference Guide

Real-time protection

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and the previous one: <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<bypass_java>0</bypass_java>

<cloud_based_detection>

<on_virus_found></on_virus_found>

</cloud_based_detection>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<enabled>

Enable or disable real time protection.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Select one of the following:

  • 0: scan files when processes read or write them + enable scan network files
  • 1: scan files when processes read them + disable scan network files
  • 2: scan files when processes write them + disable scan network files
  • 3: scan files when processes read or write them + disable scan network files
  • 4: scan files when processes read them + enable scan network files
  • 5: scan files when processes write them + enable scan network files

0

<ignore_system_when>

Select one of the following:

  • 0: scan files when system processes read or write them
  • 1: scan files when system processes read them
  • 2: scan files when system processes write them(default)
  • 3: do not scan files when system processes read or write them

2

<on_virus_found>

The action FortiClient performs if a virus is found. Select one of:

  • 1: ignore
  • 3: warning
  • 4: quarantine
  • 5: deny access

5

<popup_alerts>

Display alerts when a virus is found.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable or disable pop-up registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<bypass_java>

Enable or disable bypassing digitally signed Java processes.

Boolean value: [0 | 1]

0

<cloud_based_detection> elements

<on_virus_found>

The action FortiClient performs when a virus is detected by the Cloud Based Behavior Scan (CBBS). Select one of the following:

  • 4: Quarantine
  • 5: Deny access

<compressed_files> elements

<scan>

Enable or disable scanning of compressed files.

Boolean value: [0 | 1]

1

<maxsize>

Maximum compressed file size to scan in MB.

A number up to 65535. 0 means no limit.

2

<riskware> element

<enabled>

Enable or disable scanning of riskware files.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Enable or disable scanning of adware files.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

<level>

Level is from 0 to 4. Applied to both real-time and on-demand scans.

<action>

The action FortiClient performs if a virus is found. Select one of:

  • 0: warning
  • 1: deny access
  • 3: submit only

<scan_file_types> element

<all_files>

Enabled or disable scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements – FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. The following wildcards and variables are supported, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %windir%
  • Path variable %allusersprofile%
  • Path variable %systemroot%
  • Path variable %systemdrive%

Combinations of wildcards and variables are not supported.

<file>

Full path to a file to exclude from on-demand scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from on-demand scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from on-demand scanning.

<sandboxing> element

<enabled>

Enable or disable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable or disable the use of FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable or disable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable or disable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and the previous one: <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<bypass_java>0</bypass_java>

<cloud_based_detection>

<on_virus_found></on_virus_found>

</cloud_based_detection>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<enabled>

Enable or disable real time protection.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Select one of the following:

  • 0: scan files when processes read or write them + enable scan network files
  • 1: scan files when processes read them + disable scan network files
  • 2: scan files when processes write them + disable scan network files
  • 3: scan files when processes read or write them + disable scan network files
  • 4: scan files when processes read them + enable scan network files
  • 5: scan files when processes write them + enable scan network files

0

<ignore_system_when>

Select one of the following:

  • 0: scan files when system processes read or write them
  • 1: scan files when system processes read them
  • 2: scan files when system processes write them(default)
  • 3: do not scan files when system processes read or write them

2

<on_virus_found>

The action FortiClient performs if a virus is found. Select one of:

  • 1: ignore
  • 3: warning
  • 4: quarantine
  • 5: deny access

5

<popup_alerts>

Display alerts when a virus is found.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable or disable pop-up registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<bypass_java>

Enable or disable bypassing digitally signed Java processes.

Boolean value: [0 | 1]

0

<cloud_based_detection> elements

<on_virus_found>

The action FortiClient performs when a virus is detected by the Cloud Based Behavior Scan (CBBS). Select one of the following:

  • 4: Quarantine
  • 5: Deny access

<compressed_files> elements

<scan>

Enable or disable scanning of compressed files.

Boolean value: [0 | 1]

1

<maxsize>

Maximum compressed file size to scan in MB.

A number up to 65535. 0 means no limit.

2

<riskware> element

<enabled>

Enable or disable scanning of riskware files.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Enable or disable scanning of adware files.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

<level>

Level is from 0 to 4. Applied to both real-time and on-demand scans.

<action>

The action FortiClient performs if a virus is found. Select one of:

  • 0: warning
  • 1: deny access
  • 3: submit only

<scan_file_types> element

<all_files>

Enabled or disable scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements – FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. The following wildcards and variables are supported, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %windir%
  • Path variable %allusersprofile%
  • Path variable %systemroot%
  • Path variable %systemdrive%

Combinations of wildcards and variables are not supported.

<file>

Full path to a file to exclude from on-demand scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from on-demand scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from on-demand scanning.

<sandboxing> element

<enabled>

Enable or disable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable or disable the use of FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable or disable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable or disable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0