Fortinet black logo

Real-time protection

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<amsi_enabled>0</amsi_enabled>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable RTP.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Configure one of the following:

  • 0: scan files when processes read or write them and enable scanning network files.
  • 1: scan files when processes read them and disable scanning network files.
  • 2: scan files when processes write them and disable scanning network files.
  • 3: scan files when processes read or write them and disable scanning network files.
  • 4: scan files when processes read them and enable scanning network files.
  • 5: scan files when processes write them and enable scanning network files.

0

<ignore_system_when>

Configure one of the following:

  • 0: scan files when system processes read or write them.
  • 1: scan files when system processes read them.
  • 2: scan files when system processes write them.
  • 3: do not scan files when system processes read or write them.

2

<on_virus_found>

Configure the action FortiClient performs if it finds a virus:

  • 1: ignore infected files.
  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access to infected files.

5

<popup_alerts>

If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable popup registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<amsi_enabled>

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Boolean value: [0 | 1]

0

<compressed_files> elements

<scan>

Scan archive files, including zip, rar, and tar files, for threats.

Boolean value: [0 | 1]

1

<maxsize>

Only scan files under the specified size in MB.

A number up to 65535. 0 means no limit. For compressed files, FortiClient supports a maximum file size of 1 GB for antivirus scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

2

<riskware> element

<enabled>

Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

The new FortiClient AV engine incorporates a smarter signature-less machine learning (ML)-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

<level>

This setting applies to real-time and on-demand scans. Enter one of the following:

  • 0: normal
  • 1: advanced heuristics on highly infected systems
  • 2: Minos engine heuristics on highly infected systems
  • 3: both advanced heuristics on highly infected systems and engine heuristics
  • 4: both, without waiting to determine if system is highly infected

<action>

The action FortiClient performs if it finds a virus. Enter one of the following:

  • 0: detect and notify only (with log entries, no other action)
  • 2: quarantine the file

<scan_file_types> element

<all_files>

Enabled scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements

FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. FortiClient supports the following wildcards and variables, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %allusersprofile%
  • Path variable %appdata%
  • Path variable %localappdata%
  • Path variable %systemroot%
  • Path variable %systemdrive%
  • Path variable %userprofile%
  • Path variable %windir%

FortiClient does not support combinations of wildcards and variables.

<file>

Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from RTP scanning.

<sandboxing> element

<enabled>

Enable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable using FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<amsi_enabled>0</amsi_enabled>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable RTP.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Configure one of the following:

  • 0: scan files when processes read or write them and enable scanning network files.
  • 1: scan files when processes read them and disable scanning network files.
  • 2: scan files when processes write them and disable scanning network files.
  • 3: scan files when processes read or write them and disable scanning network files.
  • 4: scan files when processes read them and enable scanning network files.
  • 5: scan files when processes write them and enable scanning network files.

0

<ignore_system_when>

Configure one of the following:

  • 0: scan files when system processes read or write them.
  • 1: scan files when system processes read them.
  • 2: scan files when system processes write them.
  • 3: do not scan files when system processes read or write them.

2

<on_virus_found>

Configure the action FortiClient performs if it finds a virus:

  • 1: ignore infected files.
  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access to infected files.

5

<popup_alerts>

If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable popup registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<amsi_enabled>

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Boolean value: [0 | 1]

0

<compressed_files> elements

<scan>

Scan archive files, including zip, rar, and tar files, for threats.

Boolean value: [0 | 1]

1

<maxsize>

Only scan files under the specified size in MB.

A number up to 65535. 0 means no limit. For compressed files, FortiClient supports a maximum file size of 1 GB for antivirus scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

2

<riskware> element

<enabled>

Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

The new FortiClient AV engine incorporates a smarter signature-less machine learning (ML)-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

<level>

This setting applies to real-time and on-demand scans. Enter one of the following:

  • 0: normal
  • 1: advanced heuristics on highly infected systems
  • 2: Minos engine heuristics on highly infected systems
  • 3: both advanced heuristics on highly infected systems and engine heuristics
  • 4: both, without waiting to determine if system is highly infected

<action>

The action FortiClient performs if it finds a virus. Enter one of the following:

  • 0: detect and notify only (with log entries, no other action)
  • 2: quarantine the file

<scan_file_types> element

<all_files>

Enabled scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements

FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. FortiClient supports the following wildcards and variables, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %allusersprofile%
  • Path variable %appdata%
  • Path variable %localappdata%
  • Path variable %systemroot%
  • Path variable %systemdrive%
  • Path variable %userprofile%
  • Path variable %windir%

FortiClient does not support combinations of wildcards and variables.

<file>

Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from RTP scanning.

<sandboxing> element

<enabled>

Enable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable using FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0