Fortinet white logo
Fortinet white logo

EMS Administration Guide

Vulnerability Scan

Vulnerability Scan

note icon

If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses the Automatic Maintenance settings.

Configuration

Description

Vulnerability Scan

Enable or disable Vulnerability Scan.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Scanning

Scan on Registration

Scan endpoints upon connecting to a FortiGate.

Scan on Vulnerability Signature Update

Scan endpoints upon updating a vulnerability signature.

Scan on OS Updates

Run system updates for the underlying operating system (OS):

  • For an endpoint with Microsoft Windows installed, this option scans for and applies Windows OS patches for security updates.
  • For an endpoint with macOS installed, this option runs the OS software updates.

FortiClient notifies the OS to do these updates.

Force Enable Windows Update

If you disable this option, FortiClient sends a message to EMS to specify the endpoint paused Windows Update.

If you enable this option and Windows Update is in a paused state, FortiClient deletes the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings registry key and Windows Update resumes so that FortiClient VCM can detect OS vulnerabilities again.

Enable Proxy

Enable using proxy settings configured in when downloading updates for vulnerability patches.

Automatic Maintenance

Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that minimally impacts the user, PC performance, and energy efficiency. See Automatic maintenance.

Period

Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.

Deadline

Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days.

This value must be greater than the Period value.

Scheduled Scan

Configure settings for scheduled scanning.

Schedule Type

Select Daily, Weekly, Monthly.

Scan On

Configure the day the scan will run. This only applies if the schedule type is configured to Weekly or Monthly. Select a day of the week (Sunday through Monday) or a day of the month (1st through the 31st).

Start At

Configure the time the scan starts.

Automatic Patching

Patch Level

Patches are installed automatically when vulnerabilities are detected. Select one of the following:

  • Critical: Patch critical vulnerabilities only
  • High: Patch high severity and above vulnerabilities
  • Medium: Patch medium severity and above vulnerabilities
  • Low: Patch low severity and above vulnerabilities
  • All: Patch all vulnerabilities.

Automatic patching may require the endpoint to reboot.

Exclusions

Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check

All applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check.

This option does not exclude applications from vulnerability scanning.

Exclude Selected Applications from Vulnerability Compliance Check

In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list.

In the <number> Excluded Applications list, click the applications to remove from the exclusion list.

Applications on the exclusion list are exempt from needing to install software patches within the time frame specified in FortiGate compliance rules to maintain compliant status and network access.

Applications on the list are not excluded from vulnerability scanning.

Disable Automatic Patching for These Applications

Disable automatic patching for the applications excluded from vulnerability compliance check.

Vulnerability Scan

Vulnerability Scan

note icon

If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses the Automatic Maintenance settings.

Configuration

Description

Vulnerability Scan

Enable or disable Vulnerability Scan.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Scanning

Scan on Registration

Scan endpoints upon connecting to a FortiGate.

Scan on Vulnerability Signature Update

Scan endpoints upon updating a vulnerability signature.

Scan on OS Updates

Run system updates for the underlying operating system (OS):

  • For an endpoint with Microsoft Windows installed, this option scans for and applies Windows OS patches for security updates.
  • For an endpoint with macOS installed, this option runs the OS software updates.

FortiClient notifies the OS to do these updates.

Force Enable Windows Update

If you disable this option, FortiClient sends a message to EMS to specify the endpoint paused Windows Update.

If you enable this option and Windows Update is in a paused state, FortiClient deletes the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings registry key and Windows Update resumes so that FortiClient VCM can detect OS vulnerabilities again.

Enable Proxy

Enable using proxy settings configured in when downloading updates for vulnerability patches.

Automatic Maintenance

Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that minimally impacts the user, PC performance, and energy efficiency. See Automatic maintenance.

Period

Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.

Deadline

Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days.

This value must be greater than the Period value.

Scheduled Scan

Configure settings for scheduled scanning.

Schedule Type

Select Daily, Weekly, Monthly.

Scan On

Configure the day the scan will run. This only applies if the schedule type is configured to Weekly or Monthly. Select a day of the week (Sunday through Monday) or a day of the month (1st through the 31st).

Start At

Configure the time the scan starts.

Automatic Patching

Patch Level

Patches are installed automatically when vulnerabilities are detected. Select one of the following:

  • Critical: Patch critical vulnerabilities only
  • High: Patch high severity and above vulnerabilities
  • Medium: Patch medium severity and above vulnerabilities
  • Low: Patch low severity and above vulnerabilities
  • All: Patch all vulnerabilities.

Automatic patching may require the endpoint to reboot.

Exclusions

Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check

All applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check.

This option does not exclude applications from vulnerability scanning.

Exclude Selected Applications from Vulnerability Compliance Check

In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list.

In the <number> Excluded Applications list, click the applications to remove from the exclusion list.

Applications on the exclusion list are exempt from needing to install software patches within the time frame specified in FortiGate compliance rules to maintain compliant status and network access.

Applications on the list are not excluded from vulnerability scanning.

Disable Automatic Patching for These Applications

Disable automatic patching for the applications excluded from vulnerability compliance check.