Malware Protection

The Malware Protection tab contains options for configuring antivirus (AV), antiransomware, antiexploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.

Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux licenses for details on which features each license type includes.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configure the following options:

AntiVirus Protection
Antiransomware
Antiexploit
Cloud Based Malware Detection
Removable Media Access
Exclusions
Other

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options		Description
General		These settings apply to all AV protection.
Delete Malware Files After		Enter the number of days after which to delete malware files from the client.
Real-Time Protection		Enable real-time protection (RTP).
Action On Virus Discovery		Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard. Deny Access to Infected Files Ignore Infected Files
Alert When Viruses Are Detected		Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.
Identify Malware and Exploits Using Signatures Received from FortiSandbox		Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.
Scan Compressed Files		Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.
	Max Size	Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.
Scan Files Accessed by User Process		Configure when RTP should scan files that a user-initiated process accesses. Select one of the following: Scan Files When Processes Read or Write Them Scan Files When Processes Read Them Scan Files When Processes Write Them
	Scan Network Files	Scan network files for threats when a user-initiated process accesses them.
System Process Scanning		Enable system process scanning. Select one of the following: Scan Files When System Processes Read or Write Them Scan Files When System Processes Read Them Scan Files When System Processes Write Them Do Not Scan Files When System Processes Read or Write Them
Enable Windows Antimalware Scan Interface		Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior: User Account Control (elevation of EXE, COM, MSI, or ActiveX installation) PowerShell (scripts, interactive use, and dynamic code evaluation) Windows Script Host (wscript.exe and script.exe) JavaScript and VBScript Office VBA macros
Enable Machine Learning Analysis		Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following: Log detection and warn the User: detect the sample, display a warning message, and log the activity. Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
On Demand Scanning
Action On Virus Discovery		Select one of the following from the dropdown list: Warn the User If a Process Attempts to Access Infected Files Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard. Ignore Infected Files
Integrate FortiClient into Windows Explorer's Context Menu		Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.
	Hide AV Scan from Windows Explorer's Context Menu	Hide AV scan option from Windows Explorer's context menu.
	Hide AV Analyse from Windows Explorer's Context Menu	Hide option to submit file for AV analysis from Windows Explorer's context menu.
Pause Scanning When Running on Battery Power		Pause scanning when the computer is running on battery power.
Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console		Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.
Automatically Submit Suspicious Files to FortiGuard for Analysis.		Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.
Scan Compressed Files		Scan archive files, including zip, rar, and tar files, for threats.
	Max Size	Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.
Max Scan Speed on Computers With		Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory: 4 GB 6 GB 8 GB 12 GB 16 GB
Enable Machine Learning Analysis		Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following: Log detection and warn the User: detect the sample, display a warning message, and log the activity. Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
Scheduled Scan		Enable scheduled scans.
Schedule Type		Select Daily, Weekly, or Monthly.
Scan On		If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.
Start At		Configure the start time for the scheduled scan.
Scan Type		Select one of the following: Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats. Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers. Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.
Scan Priority		Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.
Scan Removable Media		Scan connected removable media, such as USB drives, for threats, if present.
Scan Network Drives		Scan attached or mounted network drives for threats.
Enable Scheduled Scans Even When a Third-Party AV Product Is Present		Enable scheduled scans even when a third party AV product is present.

Anti-Ransomware

Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes. After detecting ransomware behavior on the endpoint, FortiClient restores files that were encrypted by the detected ransomware. FortiClient automatically updates antiransomware signatures and engines as available from FortiGuard Distribution Servers.

The anti-ransomware feature is not supported on FortiClient macOS.

Options	Description
Protected Folders	Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button. This field supports path variables.
Protected File Types	Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter `txt`, as opposed to `.txt`.
Action	When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured: Block access and warn user if suspicious activity is detected: FortiClient terminates the suspicious process. Warn user and resume after the timeout: FortiClient allows the process to continue.
Action Timeout	Enter the desired timeout value.
Bypass Valid Signer	Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.
Enable File Backup	Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint.
Backup Interval	Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.
Backup File Size Limit	Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.
Free Disk Quota	Enter the desired backup disk quota value as a percentage of free disk space.

Antiexploit

Enable antiexploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the antiexploit feature to function.

Cloud-Based Malware Detection

Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

A high risk file is downloaded or executed on the endpoint.
FortiClient generates a SHA1 checksum for the file.
FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

By default, this feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. To add other high risk file types, configure <use_custom_extensions>1</use_custom_extensions> in XML settings and configure the desired list of file types using <custom_extensions>. The default <custom_extensions> list of high risk file types is the same as the list of file types submitted to Sandbox. See Cloud-based malware protection.

Options		Description
Server
Wait for Cloudscan Results before Allowing File Access		Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds.
Deny Access to File When There is No Cloudscan Result		Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.
File Submission Options
All Files Executed from Removable Media		Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.
All Files Executed from Mapped Network Drives		Submit all files executed from mapped network drives.
All Web Downloads		Submit all web downloads.
All Email Downloads		Submit all email downloads.
Exclude Files from Trusted Sources		Exclude files signed by trusted sources from cloud-based malware protection submission.
Remediation Actions
Action		Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious.

Removable Media Access

Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.

FortiClient (macOS) and (Linux) only support the action configured for Default removable media access. FortiClient (macOS) and (Linux) do not support other removable media access rules received from EMS.

For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:

Microsoft Windows Device Manager: select the device and view its properties.
USBDeview

Options	Description
Show bubble notifications	Display a bubble notification when FortiClient takes action with a removable media device.
Action	Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are: Allow: Allow access to removable media devices connected to the endpoint that match this rule. Block: Block access to removable media devices connected to the endpoint that match this rule. Monitor: Log removable media device connections to the endpoint that match this rule.
Description	Enter the desired rule description.
Type	Select Simple or Regular Expression for the rule type. When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions. When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
Class	Enter the device class.
Manufacturer	Enter the device manufacturer.
Vendor ID	Enter the device vendor ID.
Product ID	Enter the device product ID.
Revision	Enter the device revision number.
Remove this rule	Remove this rule from the profile.
Add a new rule	Add a new removable media access rule.
Move this rule up/down	Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.
Default removable media access	Configure the action to take with removable media devices that do not match any configured rules. Available options are: Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules. Block: Block access to removable media devices connected to the endpoint that do not match any configured rules. Monitor: Log removable media device connections to the endpoint that do not match any configured rules.

Exclusions

Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:

Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
Using wildcards to exclude all files with a specified extension, such as *.jrs
Path variable %allusersprofile%
Path variable %appdata%
Path variable %localappdata%
Path variable %systemroot%
Path variable %systemdrive%
Path variable %userprofile%
Path variable %windir%

Combinations of wildcards and variables are not supported.

Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

Exclusion lists are case-sensitive.

When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder).

Options	Description
Paths to Excluded Folders	Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.
Paths to Excluded Files	Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.
File Extensions Excluded from Real-Time Protection	RTP skips scanning files with the specified extensions.
File Extensions Excluded from On Demand Scanning	On-demand AV protection skips scanning files with the specified extensions.

Other

Options	Description
Scan for Rootkits	Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.
Scan for Adware	Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.
Scan for Riskware	Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.
Enable Advanced Heuristics	Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.
Scan Removable Media on Insertion	Scan removable media on insertion. FortiClient scans the following media types on insertion: Floppy drives Thumb drives Flash card reader USB devices (BusTypeUsb) External hard drives (BusType1394) This feature does not scan the following on insertion: Remote (network) drive CD-ROM drive RAM disk
Scan Email	Scan emails for threats with SMTP and POP3 protocols.
Scan MIME Files (Inbox Files)	Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types. MIME is an Internet standard that extends the email format to support the following: Text in character sets other than ASCII Non-text attachments (audio, video, images, applications) Message bodies with multiple parts
Enable FortiGuard Analytics	Automatically sends suspicious files to FortiGuard for analysis.
Notify Logged in Users if Their AV Signatures Expired	Notify logged in users if their AV signatures expired.

Malware Protection

Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux licenses for details on which features each license type includes.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configure the following options:

AntiVirus Protection
Antiransomware
Antiexploit
Cloud Based Malware Detection
Removable Media Access
Exclusions
Other

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options		Description
General		These settings apply to all AV protection.
Delete Malware Files After		Enter the number of days after which to delete malware files from the client.
Real-Time Protection		Enable real-time protection (RTP).
Action On Virus Discovery		Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard. Deny Access to Infected Files Ignore Infected Files
Alert When Viruses Are Detected		Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.
Identify Malware and Exploits Using Signatures Received from FortiSandbox		Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.
Scan Compressed Files		Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.
	Max Size	Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.
Scan Files Accessed by User Process		Configure when RTP should scan files that a user-initiated process accesses. Select one of the following: Scan Files When Processes Read or Write Them Scan Files When Processes Read Them Scan Files When Processes Write Them
	Scan Network Files	Scan network files for threats when a user-initiated process accesses them.
System Process Scanning		Enable system process scanning. Select one of the following: Scan Files When System Processes Read or Write Them Scan Files When System Processes Read Them Scan Files When System Processes Write Them Do Not Scan Files When System Processes Read or Write Them
Enable Windows Antimalware Scan Interface		Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior: User Account Control (elevation of EXE, COM, MSI, or ActiveX installation) PowerShell (scripts, interactive use, and dynamic code evaluation) Windows Script Host (wscript.exe and script.exe) JavaScript and VBScript Office VBA macros
Enable Machine Learning Analysis		Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following: Log detection and warn the User: detect the sample, display a warning message, and log the activity. Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
On Demand Scanning
Action On Virus Discovery		Select one of the following from the dropdown list: Warn the User If a Process Attempts to Access Infected Files Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard. Ignore Infected Files
Integrate FortiClient into Windows Explorer's Context Menu		Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.
	Hide AV Scan from Windows Explorer's Context Menu	Hide AV scan option from Windows Explorer's context menu.
	Hide AV Analyse from Windows Explorer's Context Menu	Hide option to submit file for AV analysis from Windows Explorer's context menu.
Pause Scanning When Running on Battery Power		Pause scanning when the computer is running on battery power.
Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console		Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.
Automatically Submit Suspicious Files to FortiGuard for Analysis.		Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.
Scan Compressed Files		Scan archive files, including zip, rar, and tar files, for threats.
	Max Size	Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.
Max Scan Speed on Computers With		Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory: 4 GB 6 GB 8 GB 12 GB 16 GB
Enable Machine Learning Analysis		Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following: Log detection and warn the User: detect the sample, display a warning message, and log the activity. Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
Scheduled Scan		Enable scheduled scans.
Schedule Type		Select Daily, Weekly, or Monthly.
Scan On		If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.
Start At		Configure the start time for the scheduled scan.
Scan Type		Select one of the following: Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats. Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers. Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.
Scan Priority		Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.
Scan Removable Media		Scan connected removable media, such as USB drives, for threats, if present.
Scan Network Drives		Scan attached or mounted network drives for threats.
Enable Scheduled Scans Even When a Third-Party AV Product Is Present		Enable scheduled scans even when a third party AV product is present.

Anti-Ransomware

The anti-ransomware feature is not supported on FortiClient macOS.

Options	Description
Protected Folders	Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button. This field supports path variables.
Protected File Types	Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter `txt`, as opposed to `.txt`.
Action	When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured: Block access and warn user if suspicious activity is detected: FortiClient terminates the suspicious process. Warn user and resume after the timeout: FortiClient allows the process to continue.
Action Timeout	Enter the desired timeout value.
Bypass Valid Signer	Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.
Enable File Backup	Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint.
Backup Interval	Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.
Backup File Size Limit	Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.
Free Disk Quota	Enter the desired backup disk quota value as a percentage of free disk space.

Antiexploit

Enable antiexploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the antiexploit feature to function.

Cloud-Based Malware Detection

A high risk file is downloaded or executed on the endpoint.
FortiClient generates a SHA1 checksum for the file.
FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

Options		Description
Server
Wait for Cloudscan Results before Allowing File Access		Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds.
Deny Access to File When There is No Cloudscan Result		Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.
File Submission Options
All Files Executed from Removable Media		Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.
All Files Executed from Mapped Network Drives		Submit all files executed from mapped network drives.
All Web Downloads		Submit all web downloads.
All Email Downloads		Submit all email downloads.
Exclude Files from Trusted Sources		Exclude files signed by trusted sources from cloud-based malware protection submission.
Remediation Actions
Action		Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious.

Removable Media Access

Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.

For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:

Microsoft Windows Device Manager: select the device and view its properties.
USBDeview

Options	Description
Show bubble notifications	Display a bubble notification when FortiClient takes action with a removable media device.
Action	Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are: Allow: Allow access to removable media devices connected to the endpoint that match this rule. Block: Block access to removable media devices connected to the endpoint that match this rule. Monitor: Log removable media device connections to the endpoint that match this rule.
Description	Enter the desired rule description.
Type	Select Simple or Regular Expression for the rule type. When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions. When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
Class	Enter the device class.
Manufacturer	Enter the device manufacturer.
Vendor ID	Enter the device vendor ID.
Product ID	Enter the device product ID.
Revision	Enter the device revision number.
Remove this rule	Remove this rule from the profile.
Add a new rule	Add a new removable media access rule.
Move this rule up/down	Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.
Default removable media access	Configure the action to take with removable media devices that do not match any configured rules. Available options are: Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules. Block: Block access to removable media devices connected to the endpoint that do not match any configured rules. Monitor: Log removable media device connections to the endpoint that do not match any configured rules.

Exclusions

Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
Using wildcards to exclude all files with a specified extension, such as *.jrs
Path variable %allusersprofile%
Path variable %appdata%
Path variable %localappdata%
Path variable %systemroot%
Path variable %systemdrive%
Path variable %userprofile%
Path variable %windir%

Combinations of wildcards and variables are not supported.

Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

Exclusion lists are case-sensitive.

When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder).

Options	Description
Paths to Excluded Folders	Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.
Paths to Excluded Files	Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.
File Extensions Excluded from Real-Time Protection	RTP skips scanning files with the specified extensions.
File Extensions Excluded from On Demand Scanning	On-demand AV protection skips scanning files with the specified extensions.

Other

Options	Description
Scan for Rootkits	Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.
Scan for Adware	Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.
Scan for Riskware	Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.
Enable Advanced Heuristics	Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.
Scan Removable Media on Insertion	Scan removable media on insertion. FortiClient scans the following media types on insertion: Floppy drives Thumb drives Flash card reader USB devices (BusTypeUsb) External hard drives (BusType1394) This feature does not scan the following on insertion: Remote (network) drive CD-ROM drive RAM disk
Scan Email	Scan emails for threats with SMTP and POP3 protocols.
Scan MIME Files (Inbox Files)	Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types. MIME is an Internet standard that extends the email format to support the following: Text in character sets other than ASCII Non-text attachments (audio, video, images, applications) Message bodies with multiple parts
Enable FortiGuard Analytics	Automatically sends suspicious files to FortiGuard for analysis.
Notify Logged in Users if Their AV Signatures Expired	Notify logged in users if their AV signatures expired.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

Malware Protection

Malware Protection

AntiVirus Protection

Anti-Ransomware

Antiexploit

Cloud-Based Malware Detection

Removable Media Access

Exclusions

Other

Related Videos

Using FortiClient to Protect against Ransomware

Malware Protection

Malware Protection