Fortinet black logo

Antiransomware

Antiransomware

The following lists antiransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<enable_backup>1</enable_backup>

<backup_interval>1</backup_interval>

<backup_file_size_limit>1</backup_file_size_limit>

<backup_disk_quota>10</backup_disk_quota>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for antiransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable antiransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When antiransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process:

  • If the user selects Yes, FortiClient terminates the suspicious process.
  • If the user selects No, FortiClient allows the process to continue.
  • If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:
    • 1: terminate ransomware behavior
    • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<enable_backup>

Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint

Boolean value: [0 | 1]

0

<backup_interval>

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.

<backup_file_size_limit>

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

<backup_disk_quota>

Enter the desired backup disk quota value as a percentage of free disk space.

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient antiransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.

Antiransomware

The following lists antiransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<enable_backup>1</enable_backup>

<backup_interval>1</backup_interval>

<backup_file_size_limit>1</backup_file_size_limit>

<backup_disk_quota>10</backup_disk_quota>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for antiransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable antiransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When antiransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process:

  • If the user selects Yes, FortiClient terminates the suspicious process.
  • If the user selects No, FortiClient allows the process to continue.
  • If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:
    • 1: terminate ransomware behavior
    • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<enable_backup>

Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint

Boolean value: [0 | 1]

0

<backup_interval>

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.

<backup_file_size_limit>

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

<backup_disk_quota>

Enter the desired backup disk quota value as a percentage of free disk space.

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient antiransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.