These settings apply to all AV protection.

Enable Command and Control (C&C) detection using IP reputation database signatures. Check network traffic against known C&C IP address plus port number combinations.

Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.

If you are syncing the profile's Web Filter settings from a Web Filter profile imported from FortiOS or FortiManager, you cannot configure actions for the security risk site categories in EMS. EMS synchronizes these settings from the FortiOS or FortiManager Web Filter profile. See Web Filter.

Configure an action for the security risk site category by selecting one of the following:

• Block
• Warn
• Allow
• Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:

• Dynamic DNS
• Malicious Websites
• Newly Observed Domain
• Newly Registered Domain
• Phishing
• Spam URLs

You can also configure an action for the Security Risk category and its subcategories in a Web Filter profile. The following summarizes the action that FortiClient takes for security risk sites if the endpoint policy applied to an endpoint includes Malware Protection and Web Filter profiles:

• If an action other than Allow is configured for Security Risk or one of its subcategories on the Malware Protection profile, and the equivalent category has Allow configured on the Web Filter profile, FortiClient uses the action configured on the Malware Protection profile.
• If Allow is configured for Security Risk or one of its subcategories on the Malware Protection profile, and the equivalent category has an action other than Allow configured on the Web Filter profile, FortiClient uses the action configured on the Web Filter profile.
• If an action other than Allow is configured for Security Risk or one of its subcategories on the Malware Protection profile, and the equivalent category has an action other than Allow configured on the Web Filter profile, FortiClient uses the action configured on the Malware Protection profile.

If you enable this option, EMS uses the exclusion list on the Web Filter tab. If you disable this option, you must define exclusions under Exclusions.

Enter the number of days after which to delete malware files from the client.

Enable real-time protection (RTP).

• Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
• Deny Access to Infected Files
• Ignore Infected Files

Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.

Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.

Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

• Scan Files When Processes Read or Write Them
• Scan Files When Processes Read Them
• Scan Files When Processes Write Them

Scan network files for threats when a user-initiated process accesses them.

Enable system process scanning. Select one of the following:

• Scan Files When System Processes Read or Write Them
• Scan Files When System Processes Read Them
• Scan Files When System Processes Write Them
• Do Not Scan Files When System Processes Read or Write Them

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

• User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
• PowerShell (scripts, interactive use, and dynamic code evaluation)
• Windows Script Host (wscript.exe and script.exe)
• JavaScript and VBScript
• Office VBA macros

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

• Log detection and warn the User: detect the sample, display a warning message, and log the activity.
• Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Select one of the following from the dropdown list:

• Warn the User If a Process Attempts to Access Infected Files
• Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
• Ignore Infected Files

Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

Hide AV scan option from Windows Explorer's context menu.

Hide option to submit file for AV analysis from Windows Explorer's context menu.

Pause scanning when the computer is running on battery power.

Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

Scan archive files, including zip, rar, and tar files, for threats.

Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

• 4 GB
• 6 GB
• 8 GB
• 12 GB
• 16 GB

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

• Log detection and warn the User: detect the sample, display a warning message, and log the activity.
• Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Enable scheduled scans.

Select Daily, Weekly, or Monthly.

If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

Configure the start time for the scheduled scan.

Select one of the following:

• Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
• Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
• Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.

Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

Scan connected removable media, such as USB drives, for threats, if present.

Scan attached or mounted network drives for threats.

When antiransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process:

• If the user selects Yes, FortiClient terminates the suspicious process.
• If the user selects No, FortiClient allows the process to continue.
• If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:
  • Block access and warn user if suspicious activity is detected: FortiClient terminates the suspicious process.
  • Warn user and resume after the timeout: FortiClient allows the process to continue.

Enter the desired timeout value.

Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer.

Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint.

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds.

Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

Submit all files executed from mapped network drives.

Submit all web downloads.

Submit all email downloads.

Display a bubble notification when FortiClient takes action with a removable media device.

Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:

• Allow: Allow access to removable media devices connected to the endpoint that match this rule.
• Block: Block access to removable media devices connected to the endpoint that match this rule.
• Monitor: Log removable media device connections to the endpoint that match this rule.

Enter the desired rule description.

Select Simple or Regular Expression for the rule type.

When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

Enter the device class.

Enter the device manufacturer.

Enter the device vendor ID.

Enter the device product ID.

Enter the device revision number.

Remove this rule from the profile.

Add a new removable media access rule.

Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.

Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.

Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.

RTP skips scanning files with the specified extensions.

Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.

Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.

Scan removable media (CDs, DVDs, Blu-ray disks, USB keys, etc.) on insertion.

Scan emails for threats with SMTP and POP3 protocols.

Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.

MIME is an Internet standard that extends the format of the email to support the following:

• Text in character sets other than ASCII
• Non text attachments (audio, video, images, applications)
• Message bodies with multiple parts

Automatically sends suspicious files to FortiGuard for analysis.