Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • XML Reference Guide

    Home FortiClient 7.2.4 XML Reference Guide
    7.2.4
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Real-time protection

    Real-time protection

    The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

    Several tags are similar between this section and <on_demand_scanning>.

    <forticlient_configuration>

    <antivirus>

    <real_time_protection>

    <enabled>1</enabled>

    <use_extreme_db>0</use_extreme_db>

    <when>0</when>

    <ignore_system_when>0</ignore_system_when>

    <on_virus_found>0</on_virus_found>

    <popup_alerts>0</popup_alerts>

    <popup_registry_alerts>0</popup_registry_alerts>

    <amsi_enabled>0</amsi_enabled>

    <compressed_files>

    <scan>1</scan>

    <maxsize>2</maxsize>

    </compressed_files>

    <riskware>

    <enabled>1</enabled>

    </riskware>

    <adware>

    <enabled>1</enabled>

    </adware>

    <heuristic_scanning>

    <level>3</level>

    <action>0</action>

    </heuristic_scanning>

    <scan_file_types>

    <all_files>1</all_files>

    <file_types>

    <extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

    <include_files_with_no_extension>0</include_files_with_no_extension>

    </file_types>

    </scan_file_types>

    <exclusions>

    <file />

    <folder />

    <file_types>

    <extensions />

    </file_types>

    </exclusions>

    </real_time_protection>

    </antivirus>

    </forticlient_configuration>

    The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

    XML tag

    Description

    Default value

    <enabled>

    Enable RTP.

    Boolean value: [0 | 1]

    1

    <use_extreme_db>

    Use extreme database.

    Boolean value: [0 | 1]

    <when>

    File I/O activities that result in a scan. Configure one of the following:

    • 0: scan files when processes read or write them and enable scanning network files.
    • 1: scan files when processes read them and disable scanning network files.
    • 2: scan files when processes write them and disable scanning network files.
    • 3: scan files when processes read or write them and disable scanning network files.
    • 4: scan files when processes read them and enable scanning network files.
    • 5: scan files when processes write them and enable scanning network files.

    0

    <ignore_system_when>

    Configure one of the following:

    • 0: scan files when system processes read or write them.
    • 1: scan files when system processes read them.
    • 2: scan files when system processes write them.
    • 3: do not scan files when system processes read or write them.

    2

    <on_virus_found>

    Configure the action FortiClient performs if it finds a virus:

    • 1: ignore infected files.
    • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
    • 5: deny access to infected files.

    5

    <popup_alerts>

    If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

    Boolean value: [0 | 1]

    1

    <popup_registry_alerts>

    Enable popup registry alerts. This feature displays alerts if a process tries to change registry start items.

    Boolean value: [0 | 1]

    0

    <amsi_enabled>

    Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

    • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
    • PowerShell (scripts, interactive use, and dynamic code evaluation)
    • Windows Script Host (wscript.exe and script.exe)
    • JavaScript and VBScript
    • Office VBA macros

    Boolean value: [0 | 1]

    0

    <compressed_files> elements

    <scan>

    Scan archive files, including zip, rar, and tar files, for threats.

    Boolean value: [0 | 1]

    1

    <maxsize>

    Only scan files under the specified size in MB.

    A number up to 65535. 0 means no limit. For compressed files, FortiClient supports a maximum file size of 1 GB for antivirus scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

    2

    <riskware> element

    <enabled>

    Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

    Boolean value: [0 | 1]

    1

    <adware> element

    <enabled>

    Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

    Boolean value: [0 | 1]

    1

    <heuristic_scanning> elements

    The new FortiClient AV engine incorporates a smarter signature-less machine learning (ML)-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

    <level>

    This setting applies to real-time and on-demand scans. Enter one of the following:

    • 0: normal
    • 1: advanced heuristics on highly infected systems
    • 2: Minos engine heuristics on highly infected systems
    • 3: both advanced heuristics on highly infected systems and engine heuristics
    • 4: both, without waiting to determine if system is highly infected

    <action>

    The action FortiClient performs if it finds a virus. Enter one of the following:

    • 0: detect and notify only (with log entries, no other action)
    • 2: quarantine the file

    <scan_file_types> element

    <all_files>

    Enabled scanning of all file types. If enabled, ignore the <file_types> element.

    Boolean value: [0 | 1]

    1

    <scan_file_types><file_types> elements

    <extensions>

    Comma separated list of extensions to scan.

    <include_files_with_no_extension>

    Determines whether to scan files with no extension.

    Boolean value: [0 | 1]

    0

    <exclusions> elements

    FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. FortiClient supports the following wildcards and variables, among others:

    • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
    • Using wildcards to exclude all files with a specified extension, such as *.jrs
    • Path variable %allusersprofile%
    • Path variable %appdata%
    • Path variable %localappdata%
    • Path variable %systemroot%
    • Path variable %systemdrive%
    • Path variable %userprofile%
    • Path variable %windir%

    FortiClient does not support combinations of wildcards and variables.

    <file>

    Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

    <folder>

    Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

    <exclusions> <file_types> element

    <extensions>

    Comma separated list of extensions to exclude from RTP scanning.

    <sandboxing> element

    <enabled>

    Enable FortiSandbox configuration.

    Boolean value: [0 | 1]

    <sandbox_address>

    Specify the IP address for FortiSandbox.

    <timeout>

    Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

    Range: 0-4294967295 in seconds

    <use_sandbox_signatures>

    Enable using FortiSandbox signatures.

    Boolean value: [0 | 1]

    <check_for_signatures_every>

    Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

    Boolean value: [0 | 1]

    <action_on_error>

    Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

    Boolean value: [0 | 1]

    0

    <scan_usb>

    Enable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

    Boolean value: [0 | 1]

    0

    <scan_mapped_drives>

    Enable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

    Boolean value: [0 | 1]

    0
    Previous
    Next

    Real-time protection

    Real-time protection

    The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

    Several tags are similar between this section and <on_demand_scanning>.

    <forticlient_configuration>

    <antivirus>

    <real_time_protection>

    <enabled>1</enabled>

    <use_extreme_db>0</use_extreme_db>

    <when>0</when>

    <ignore_system_when>0</ignore_system_when>

    <on_virus_found>0</on_virus_found>

    <popup_alerts>0</popup_alerts>

    <popup_registry_alerts>0</popup_registry_alerts>

    <amsi_enabled>0</amsi_enabled>

    <compressed_files>

    <scan>1</scan>

    <maxsize>2</maxsize>

    </compressed_files>

    <riskware>

    <enabled>1</enabled>

    </riskware>

    <adware>

    <enabled>1</enabled>

    </adware>

    <heuristic_scanning>

    <level>3</level>

    <action>0</action>

    </heuristic_scanning>

    <scan_file_types>

    <all_files>1</all_files>

    <file_types>

    <extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

    <include_files_with_no_extension>0</include_files_with_no_extension>

    </file_types>

    </scan_file_types>

    <exclusions>

    <file />

    <folder />

    <file_types>

    <extensions />

    </file_types>

    </exclusions>

    </real_time_protection>

    </antivirus>

    </forticlient_configuration>

    The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

    XML tag

    Description

    Default value

    <enabled>

    Enable RTP.

    Boolean value: [0 | 1]

    1

    <use_extreme_db>

    Use extreme database.

    Boolean value: [0 | 1]

    <when>

    File I/O activities that result in a scan. Configure one of the following:

    • 0: scan files when processes read or write them and enable scanning network files.
    • 1: scan files when processes read them and disable scanning network files.
    • 2: scan files when processes write them and disable scanning network files.
    • 3: scan files when processes read or write them and disable scanning network files.
    • 4: scan files when processes read them and enable scanning network files.
    • 5: scan files when processes write them and enable scanning network files.

    0

    <ignore_system_when>

    Configure one of the following:

    • 0: scan files when system processes read or write them.
    • 1: scan files when system processes read them.
    • 2: scan files when system processes write them.
    • 3: do not scan files when system processes read or write them.

    2

    <on_virus_found>

    Configure the action FortiClient performs if it finds a virus:

    • 1: ignore infected files.
    • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
    • 5: deny access to infected files.

    5

    <popup_alerts>

    If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

    Boolean value: [0 | 1]

    1

    <popup_registry_alerts>

    Enable popup registry alerts. This feature displays alerts if a process tries to change registry start items.

    Boolean value: [0 | 1]

    0

    <amsi_enabled>

    Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

    • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
    • PowerShell (scripts, interactive use, and dynamic code evaluation)
    • Windows Script Host (wscript.exe and script.exe)
    • JavaScript and VBScript
    • Office VBA macros

    Boolean value: [0 | 1]

    0

    <compressed_files> elements

    <scan>

    Scan archive files, including zip, rar, and tar files, for threats.

    Boolean value: [0 | 1]

    1

    <maxsize>

    Only scan files under the specified size in MB.

    A number up to 65535. 0 means no limit. For compressed files, FortiClient supports a maximum file size of 1 GB for antivirus scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

    2

    <riskware> element

    <enabled>

    Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

    Boolean value: [0 | 1]

    1

    <adware> element

    <enabled>

    Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

    Boolean value: [0 | 1]

    1

    <heuristic_scanning> elements

    The new FortiClient AV engine incorporates a smarter signature-less machine learning (ML)-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

    <level>

    This setting applies to real-time and on-demand scans. Enter one of the following:

    • 0: normal
    • 1: advanced heuristics on highly infected systems
    • 2: Minos engine heuristics on highly infected systems
    • 3: both advanced heuristics on highly infected systems and engine heuristics
    • 4: both, without waiting to determine if system is highly infected

    <action>

    The action FortiClient performs if it finds a virus. Enter one of the following:

    • 0: detect and notify only (with log entries, no other action)
    • 2: quarantine the file

    <scan_file_types> element

    <all_files>

    Enabled scanning of all file types. If enabled, ignore the <file_types> element.

    Boolean value: [0 | 1]

    1

    <scan_file_types><file_types> elements

    <extensions>

    Comma separated list of extensions to scan.

    <include_files_with_no_extension>

    Determines whether to scan files with no extension.

    Boolean value: [0 | 1]

    0

    <exclusions> elements

    FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. FortiClient supports the following wildcards and variables, among others:

    • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
    • Using wildcards to exclude all files with a specified extension, such as *.jrs
    • Path variable %allusersprofile%
    • Path variable %appdata%
    • Path variable %localappdata%
    • Path variable %systemroot%
    • Path variable %systemdrive%
    • Path variable %userprofile%
    • Path variable %windir%

    FortiClient does not support combinations of wildcards and variables.

    <file>

    Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

    <folder>

    Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

    <exclusions> <file_types> element

    <extensions>

    Comma separated list of extensions to exclude from RTP scanning.

    <sandboxing> element

    <enabled>

    Enable FortiSandbox configuration.

    Boolean value: [0 | 1]

    <sandbox_address>

    Specify the IP address for FortiSandbox.

    <timeout>

    Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

    Range: 0-4294967295 in seconds

    <use_sandbox_signatures>

    Enable using FortiSandbox signatures.

    Boolean value: [0 | 1]

    <check_for_signatures_every>

    Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

    Boolean value: [0 | 1]

    <action_on_error>

    Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

    Boolean value: [0 | 1]

    0

    <scan_usb>

    Enable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

    Boolean value: [0 | 1]

    0

    <scan_mapped_drives>

    Enable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

    Boolean value: [0 | 1]

    0
    Previous
    Next