Fortinet white logo
Fortinet white logo

EMS Administration Guide

Malware Protection

Malware Protection

The Malware Protection tab contains options for configuring antivirus (AV), antiransomware, antiexploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.

Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux licenses for details on which features each license type includes.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configure the following options:

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options

Description

General

These settings apply to all AV protection.

Delete Malware Files After

Enter the number of days after which to delete malware files from the client.

Identify Malware and Exploits Using Signatures Received From FortiSandbox

Enable to allow FortiClient to use signatures from FortiSandbox to identify malware and exploits for real-time protection (RTP) and on-demand scanning. This option is available only if the Sandbox Detection tab is enabled.

Update Sandbox Signatures Every

Enter the number of minutes after which to update signatures.

Real-Time Protection

Enable RTP.

Action On Virus Discovery

  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Deny Access to Infected Files
  • Ignore Infected Files

Alert When Viruses Are Detected

Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.

Max Size

Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Scan Files Accessed by User Process

Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

  • Scan Files When Processes Read or Write Them
  • Scan Files When Processes Read Them
  • Scan Files When Processes Write Them

Scan Network Files

Scan network files for threats when a user-initiated process accesses them.

System Process Scanning

Enable system process scanning. Select one of the following:

  • Scan Files When System Processes Read or Write Them
  • Scan Files When System Processes Read Them
  • Scan Files When System Processes Write Them
  • Do Not Scan Files When System Processes Read or Write Them

Enable Windows Antimalware Scan Interface

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

On Demand Scanning

Action On Virus Discovery

Select one of the following from the dropdown list:

  • Warn the User If a Process Attempts to Access Infected Files
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Ignore Infected Files

Integrate FortiClient into Windows Explorer's Context Menu

Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

Hide AV Scan from Windows Explorer's Context Menu

Hide AV scan option from Windows Explorer's context menu.

Hide AV Analyse from Windows Explorer's Context Menu

Hide option to submit file for AV analysis from Windows Explorer's context menu.

Pause Scanning When Running on Battery Power

Pause scanning when the computer is running on battery power.

Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

Automatically Submit Suspicious Files to FortiGuard for Analysis.

Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats.

Max Size

Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Max Scan Speed on Computers With

Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

  • 4 GB
  • 6 GB
  • 8 GB
  • 12 GB
  • 16 GB

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Scheduled Scan

Enable scheduled scans.

Schedule Type

Select Daily, Weekly, or Monthly.

Scan On

If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

Start At

Configure the start time for the scheduled scan.

Scan Type

Select one of the following:

  • Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
  • Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
  • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.

Scan Priority

Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

Scan Removable Media

Scan connected removable media, such as USB drives, for threats, if present.

Scan Network Drives

Scan attached or mounted network drives for threats.

Enable Scheduled Scans Even When a Third-Party AV Product Is Present

Enable scheduled scans even when a third party AV product is present.

Anti-Ransomware

Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes. FortiClient automatically updates antiransomware signatures and engines as available from FortiGuard Distribution Servers.

Options

Description

Protected Folders

Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button. This field supports path variables.

Protected File Types

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

Action

Select the desired action for when anti-ransomware detects suspicious activity:

  • Terminate ransomware behavior with Anti-Ransomware detection: FortiClient terminates the suspicious processes, which can include child processes, depending on the ransomware, and quarantines the files that the detected ransomware modified. If Enable File Backup is enabled, FortiClient backups files from the protected locations and recovers the files from the backup folder to the protected locations. If Enable File Backup is disabled, FortiClient cannot recover the files. You can allowlist the quarantined files if you need to access them. See Allowlisting quarantined files.
  • Wait for user response with Anti-Ransomware detection: suspend the processes and display a popup asking the user if they want to terminate the process:
    • If the user selects Yes, FortiClient terminates the process as described for Terminate ransomware behavior with Terminate ransomware behavior with Anti-Ransomware detection.
    • If the user selects No, FortiClient resumes the processes unless the process is already exited by the time of detection.
    • If the user does not select an option, FortiClient waits for the configured Action Timeout, then terminates the process as described for Terminate ransomware behavior with Terminate ransomware behavior with Anti-Ransomware detection.
  • Monitor only with Anti-Ransomware detection: log when anti-ransomware detects suspicious activity.

Action Timeout

Enter the desired timeout value.

Bypass Valid Signer

Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer. FortiClient considers the file as having a valid signer if it is digitally signed with a valid certificate issued by a trusted certificate authority (CA). Enabling this feature may reduce false positives and speed up file analyses.

Enable File Backup

Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint.

Backup Interval

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files are modified.

Backup File Size Limit

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

Free Disk Quota

Enter the desired backup disk quota value as a percentage of free disk space.

Anti-Exploit

Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the Anti-Exploit feature to function.

Cloud-Based Malware Detection

Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

  1. A high risk file is downloaded or executed on the endpoint.
  2. FortiClient generates a SHA1 checksum for the file.
  3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
  4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.

Options

Description

Server
Wait for Cloudscan Results before Allowing File Access

Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There is No Cloudscan Result

Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.

File Submission Options
All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Exclude Files from Trusted Sources Exclude files signed by trusted sources from cloud-based malware protection submission. FortiClient considers the file as from a trusted source if it is digitally signed with a valid certificate issued by a trusted CA. Enabling this feature may reduce false positives and speed up file analyses.
Remediation Actions
Action

Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious.

Removable Media Access

Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.

FortiClient (macOS) and (Linux) only support the action configured for Default removable media access. FortiClient (macOS) and (Linux) do not support other removable media access rules received from EMS.

For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:

  • Microsoft Windows Device Manager: select the device and view its properties.
  • USBDeview

Options

Description

Show bubble notifications

Display a bubble notification when FortiClient takes action with a removable media device.

Action

Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:

  • Allow: Allow access to removable media devices connected to the endpoint that match this rule.
  • Block: Block access to removable media devices connected to the endpoint that match this rule.
  • Monitor: Log removable media device connections to the endpoint that match this rule.

Description

Enter the desired rule description.

Type

Select Simple or Regular Expression for the rule type.

When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

Class

Enter the device class.

Manufacturer

Enter the device manufacturer.

Vendor ID

Enter the device vendor ID.

Product ID

Enter the device product ID.

Revision

Enter the device revision number.

Remove this rule

Remove this rule from the profile.

Add a new rule

Add a new removable media access rule.

Move this rule up/down

Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.

Default removable media access

Configure the action to take with removable media devices that do not match any configured rules. Available options are:

  • Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
  • Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
  • Monitor: Log removable media device connections to the endpoint that do not match any configured rules.

Exclusions

Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %allusersprofile%
  • Path variable %appdata%
  • Path variable %localappdata%
  • Path variable %systemroot%
  • Path variable %systemdrive%
  • Path variable %userprofile%
  • Path variable %windir%

Combinations of wildcards and variables are supported.

Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

Note

Exclusion lists are case-sensitive.

Note

When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder).

Options

Description

Paths to Excluded Folders

Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.

Paths to Excluded Files

Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.

File Extensions Excluded from Real-Time Protection

RTP skips scanning files with the specified extensions.

File Extensions Excluded from On Demand Scanning

On-demand AV protection skips scanning files with the specified extensions.

Other

Options

Description

Scan for Rootkits

Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.

Scan for Adware

Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

Scan for Riskware

Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

Enable Advanced Heuristics

Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.

Scan Removable Media on Insertion

Scan removable media on insertion. FortiClient scans the following media types on insertion:

  • Floppy drives
  • Thumb drives
  • Flash card reader
  • USB devices (BusTypeUsb)
  • External hard drives (BusType1394)

This feature does not scan the following on insertion:

  • Remote (network) drive
  • CD-ROM drive
  • RAM disk

Scan Email

Scan emails for threats with SMTP and POP3 protocols.

Scan MIME Files (Inbox Files)

Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.

MIME is an Internet standard that extends the format of the email to support the following:

  • Text in character sets other than ASCII
  • Non text attachments (audio, video, images, applications)
  • Message bodies with multiple parts

Enable FortiGuard Analytics

Automatically sends suspicious files to FortiGuard for analysis.

Notify Logged in Users if Their AV Signatures Expired

Notify logged in users if their AV signatures expired.

Related Videos

sidebar video

Using FortiClient to Protect against Ransomware

  • 1,660 views
  • 2 years ago

Malware Protection

Malware Protection

The Malware Protection tab contains options for configuring antivirus (AV), antiransomware, antiexploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.

Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux licenses for details on which features each license type includes.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configure the following options:

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options

Description

General

These settings apply to all AV protection.

Delete Malware Files After

Enter the number of days after which to delete malware files from the client.

Identify Malware and Exploits Using Signatures Received From FortiSandbox

Enable to allow FortiClient to use signatures from FortiSandbox to identify malware and exploits for real-time protection (RTP) and on-demand scanning. This option is available only if the Sandbox Detection tab is enabled.

Update Sandbox Signatures Every

Enter the number of minutes after which to update signatures.

Real-Time Protection

Enable RTP.

Action On Virus Discovery

  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Deny Access to Infected Files
  • Ignore Infected Files

Alert When Viruses Are Detected

Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.

Max Size

Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Scan Files Accessed by User Process

Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

  • Scan Files When Processes Read or Write Them
  • Scan Files When Processes Read Them
  • Scan Files When Processes Write Them

Scan Network Files

Scan network files for threats when a user-initiated process accesses them.

System Process Scanning

Enable system process scanning. Select one of the following:

  • Scan Files When System Processes Read or Write Them
  • Scan Files When System Processes Read Them
  • Scan Files When System Processes Write Them
  • Do Not Scan Files When System Processes Read or Write Them

Enable Windows Antimalware Scan Interface

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

On Demand Scanning

Action On Virus Discovery

Select one of the following from the dropdown list:

  • Warn the User If a Process Attempts to Access Infected Files
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Ignore Infected Files

Integrate FortiClient into Windows Explorer's Context Menu

Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

Hide AV Scan from Windows Explorer's Context Menu

Hide AV scan option from Windows Explorer's context menu.

Hide AV Analyse from Windows Explorer's Context Menu

Hide option to submit file for AV analysis from Windows Explorer's context menu.

Pause Scanning When Running on Battery Power

Pause scanning when the computer is running on battery power.

Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

Automatically Submit Suspicious Files to FortiGuard for Analysis.

Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats.

Max Size

Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. For compressed files, FortiClient supports a maximum file size of 1 GB for AV scanning. For a compressed file with a size larger than 1 GB, FortiClient scans it after decompression.

Max Scan Speed on Computers With

Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

  • 4 GB
  • 6 GB
  • 8 GB
  • 12 GB
  • 16 GB

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Scheduled Scan

Enable scheduled scans.

Schedule Type

Select Daily, Weekly, or Monthly.

Scan On

If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

Start At

Configure the start time for the scheduled scan.

Scan Type

Select one of the following:

  • Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
  • Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
  • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.

Scan Priority

Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

Scan Removable Media

Scan connected removable media, such as USB drives, for threats, if present.

Scan Network Drives

Scan attached or mounted network drives for threats.

Enable Scheduled Scans Even When a Third-Party AV Product Is Present

Enable scheduled scans even when a third party AV product is present.

Anti-Ransomware

Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes. FortiClient automatically updates antiransomware signatures and engines as available from FortiGuard Distribution Servers.

Options

Description

Protected Folders

Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button. This field supports path variables.

Protected File Types

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

Action

Select the desired action for when anti-ransomware detects suspicious activity:

  • Terminate ransomware behavior with Anti-Ransomware detection: FortiClient terminates the suspicious processes, which can include child processes, depending on the ransomware, and quarantines the files that the detected ransomware modified. If Enable File Backup is enabled, FortiClient backups files from the protected locations and recovers the files from the backup folder to the protected locations. If Enable File Backup is disabled, FortiClient cannot recover the files. You can allowlist the quarantined files if you need to access them. See Allowlisting quarantined files.
  • Wait for user response with Anti-Ransomware detection: suspend the processes and display a popup asking the user if they want to terminate the process:
    • If the user selects Yes, FortiClient terminates the process as described for Terminate ransomware behavior with Terminate ransomware behavior with Anti-Ransomware detection.
    • If the user selects No, FortiClient resumes the processes unless the process is already exited by the time of detection.
    • If the user does not select an option, FortiClient waits for the configured Action Timeout, then terminates the process as described for Terminate ransomware behavior with Terminate ransomware behavior with Anti-Ransomware detection.
  • Monitor only with Anti-Ransomware detection: log when anti-ransomware detects suspicious activity.

Action Timeout

Enter the desired timeout value.

Bypass Valid Signer

Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer. FortiClient considers the file as having a valid signer if it is digitally signed with a valid certificate issued by a trusted certificate authority (CA). Enabling this feature may reduce false positives and speed up file analyses.

Enable File Backup

Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint.

Backup Interval

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files are modified.

Backup File Size Limit

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

Free Disk Quota

Enter the desired backup disk quota value as a percentage of free disk space.

Anti-Exploit

Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the Anti-Exploit feature to function.

Cloud-Based Malware Detection

Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

  1. A high risk file is downloaded or executed on the endpoint.
  2. FortiClient generates a SHA1 checksum for the file.
  3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
  4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.

Options

Description

Server
Wait for Cloudscan Results before Allowing File Access

Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There is No Cloudscan Result

Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.

File Submission Options
All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Exclude Files from Trusted Sources Exclude files signed by trusted sources from cloud-based malware protection submission. FortiClient considers the file as from a trusted source if it is digitally signed with a valid certificate issued by a trusted CA. Enabling this feature may reduce false positives and speed up file analyses.
Remediation Actions
Action

Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious.

Removable Media Access

Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.

FortiClient (macOS) and (Linux) only support the action configured for Default removable media access. FortiClient (macOS) and (Linux) do not support other removable media access rules received from EMS.

For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:

  • Microsoft Windows Device Manager: select the device and view its properties.
  • USBDeview

Options

Description

Show bubble notifications

Display a bubble notification when FortiClient takes action with a removable media device.

Action

Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:

  • Allow: Allow access to removable media devices connected to the endpoint that match this rule.
  • Block: Block access to removable media devices connected to the endpoint that match this rule.
  • Monitor: Log removable media device connections to the endpoint that match this rule.

Description

Enter the desired rule description.

Type

Select Simple or Regular Expression for the rule type.

When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

Class

Enter the device class.

Manufacturer

Enter the device manufacturer.

Vendor ID

Enter the device vendor ID.

Product ID

Enter the device product ID.

Revision

Enter the device revision number.

Remove this rule

Remove this rule from the profile.

Add a new rule

Add a new removable media access rule.

Move this rule up/down

Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.

Default removable media access

Configure the action to take with removable media devices that do not match any configured rules. Available options are:

  • Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
  • Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
  • Monitor: Log removable media device connections to the endpoint that do not match any configured rules.

Exclusions

Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %allusersprofile%
  • Path variable %appdata%
  • Path variable %localappdata%
  • Path variable %systemroot%
  • Path variable %systemdrive%
  • Path variable %userprofile%
  • Path variable %windir%

Combinations of wildcards and variables are supported.

Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

Note

Exclusion lists are case-sensitive.

Note

When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder).

Options

Description

Paths to Excluded Folders

Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.

Paths to Excluded Files

Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.

File Extensions Excluded from Real-Time Protection

RTP skips scanning files with the specified extensions.

File Extensions Excluded from On Demand Scanning

On-demand AV protection skips scanning files with the specified extensions.

Other

Options

Description

Scan for Rootkits

Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.

Scan for Adware

Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

Scan for Riskware

Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

Enable Advanced Heuristics

Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.

Scan Removable Media on Insertion

Scan removable media on insertion. FortiClient scans the following media types on insertion:

  • Floppy drives
  • Thumb drives
  • Flash card reader
  • USB devices (BusTypeUsb)
  • External hard drives (BusType1394)

This feature does not scan the following on insertion:

  • Remote (network) drive
  • CD-ROM drive
  • RAM disk

Scan Email

Scan emails for threats with SMTP and POP3 protocols.

Scan MIME Files (Inbox Files)

Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.

MIME is an Internet standard that extends the format of the email to support the following:

  • Text in character sets other than ASCII
  • Non text attachments (audio, video, images, applications)
  • Message bodies with multiple parts

Enable FortiGuard Analytics

Automatically sends suspicious files to FortiGuard for analysis.

Notify Logged in Users if Their AV Signatures Expired

Notify logged in users if their AV signatures expired.