Fortinet black logo

Cloud-based malware protection

Cloud-based malware protection

Cloud-based malware protection attributes are as follows:

<forticlient_configuration>

<cloudscan>

<enabled>1</enabled>

<response_timeout>0</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<remediation>

<action>quarantine</action>

<on_error>allow</on_error>

</remediation>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>1</exclude_files_and_folders>

<folders></folders>

<files></files>

</exceptions>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>7z,arj,bz2,cpl,dll,doc,docm,docx,dot,dotm,dotx,exe,fla,flv,gz,jsfl</custom_extensions>

</submit_by_extensions>

</cloudscan>

</forticlient_configuration>

The following table provides the XML tags for cloud-based malware protection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable cloud-based malware protection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

  1. A high risk file is downloaded or executed on the endpoint.
  2. FortiClient generates a SHA1 checksum for the file.
  3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
  4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

Boolean value: [0 | 1]

<response_timeout>

Enter the number of seconds to wait for cloud-based malware protection results before allowing file access. If FortiClient does not receive the results before the timeout expires, file access is allowed.

<when> elements

<executables_on_removable_media>

Enable submitting files executed from removable media for cloud-based malware protection.

Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable submitting files executed from mapped network drives for cloud-based malware protection.

Boolean value: [0 | 1]

<web_downloads>

Enable submitting web downloads for cloud-based malware protection.

Boolean value: [0 | 1]

<email_downloads>

Enable submitting email downloads for cloud-based malware protection.

Boolean value: [0 | 1]

<remediation> elements

<action>

Specify how to handle malicious files. FortiClient can quarantine malicious files. Enter one of the following:

  • quarantine: quarantine malicious files
  • alert: alert the user about malicious files but allow access to malicious files

<on_error>

Specify how to handle files when FortiClient cannot reach the cloud-based malware protection service. You can block or allow access to files. Enter one of the following:

  • block
  • allow

<exceptions> elements

<exclude_files_from_trusted_sources>

Exclude files signed by trusted sources from cloud-based malware protection submission.

Boolean value: [0 | 1]

<exclude_files_and_folders>

Exclude specified folders/files from cloud-based malware protection submission. You must also create the exclusion list.

Boolean value: [0 | 1]

<folders>

Specify a list of folders to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<files>

Specify a list of files to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<submit_by_extensions> elements

<enabled>

Submit specified file extensions to cloud-based malware protection for analysis. When disabled, FortiClient does not submit any file extensions to cloud-based malware protection.

Boolean value: [0 | 1]

<use_custom_extensions>

Enable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element.

If disabled, this feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to cloud-based malware protection.

Boolean value: [0 | 1]

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas.

Cloud-based malware protection

Cloud-based malware protection attributes are as follows:

<forticlient_configuration>

<cloudscan>

<enabled>1</enabled>

<response_timeout>0</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<remediation>

<action>quarantine</action>

<on_error>allow</on_error>

</remediation>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>1</exclude_files_and_folders>

<folders></folders>

<files></files>

</exceptions>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>7z,arj,bz2,cpl,dll,doc,docm,docx,dot,dotm,dotx,exe,fla,flv,gz,jsfl</custom_extensions>

</submit_by_extensions>

</cloudscan>

</forticlient_configuration>

The following table provides the XML tags for cloud-based malware protection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable cloud-based malware protection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

  1. A high risk file is downloaded or executed on the endpoint.
  2. FortiClient generates a SHA1 checksum for the file.
  3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
  4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

Boolean value: [0 | 1]

<response_timeout>

Enter the number of seconds to wait for cloud-based malware protection results before allowing file access. If FortiClient does not receive the results before the timeout expires, file access is allowed.

<when> elements

<executables_on_removable_media>

Enable submitting files executed from removable media for cloud-based malware protection.

Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable submitting files executed from mapped network drives for cloud-based malware protection.

Boolean value: [0 | 1]

<web_downloads>

Enable submitting web downloads for cloud-based malware protection.

Boolean value: [0 | 1]

<email_downloads>

Enable submitting email downloads for cloud-based malware protection.

Boolean value: [0 | 1]

<remediation> elements

<action>

Specify how to handle malicious files. FortiClient can quarantine malicious files. Enter one of the following:

  • quarantine: quarantine malicious files
  • alert: alert the user about malicious files but allow access to malicious files

<on_error>

Specify how to handle files when FortiClient cannot reach the cloud-based malware protection service. You can block or allow access to files. Enter one of the following:

  • block
  • allow

<exceptions> elements

<exclude_files_from_trusted_sources>

Exclude files signed by trusted sources from cloud-based malware protection submission.

Boolean value: [0 | 1]

<exclude_files_and_folders>

Exclude specified folders/files from cloud-based malware protection submission. You must also create the exclusion list.

Boolean value: [0 | 1]

<folders>

Specify a list of folders to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<files>

Specify a list of files to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<submit_by_extensions> elements

<enabled>

Submit specified file extensions to cloud-based malware protection for analysis. When disabled, FortiClient does not submit any file extensions to cloud-based malware protection.

Boolean value: [0 | 1]

<use_custom_extensions>

Enable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element.

If disabled, this feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to cloud-based malware protection.

Boolean value: [0 | 1]

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas.