Malware Protection
The Malware Protection tab contains options for configuring AV, anti-ransomware, anti-exploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.
Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux licenses for details on which features each license type includes.
Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Configure the following options:
- AntiVirus Protection
- Anti-Ransomware
- Anti-Exploit
- Cloud Based Malware Detection
- Removable Media Access
- Exclusions
- Other
AntiVirus Protection
Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.
Anti-Ransomware
Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes. After detecting ransomware behavior on the endpoint, FortiClient restores files that were encrypted by the detected ransomware. FortiClient automatically updates antiransomware signatures and engines as available from FortiGuard Distribution Servers.
The anti-ransomware feature is not supported on FortiClient macOS. |
Options |
Description |
---|---|
Protected Folders |
Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient antiransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it, then click Remove Folder. This field supports path variables. |
Protected File Types |
Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, enter txt , as opposed to .txt . |
Action |
Select the desired action for when antiransomware detects suspicious activity:
|
Action Timeout |
Enter the desired timeout value. |
Bypass Valid Signer |
Enable FortiClient to exclude a process from the selected antiransomware action if it has a valid signer. FortiClient considers the file as having a valid signer if it is digitally signed with a valid certificate issued by a trusted certificate authority (CA). Enabling this feature may reduce false positives and speed up file analyses. |
Enable File Backup |
Enable FortiClient to restore files that the detected ransomware encrypted after detecting ransomware behavior on the endpoint. |
Backup Interval |
Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files are modified. |
Backup File Size Limit |
Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption. |
Enter the desired backup disk quota value as a percentage of free disk space. |
Anti-Exploit
Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the Anti-Exploit feature to function.
Cloud-Based Malware Detection
Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:
- A high risk file is downloaded or executed on the endpoint.
- FortiClient generates a SHA1 checksum for the file.
- FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
- If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.
Options |
Description |
|
---|---|---|
Server | ||
Wait for Cloudscan Results before Allowing File Access |
Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds. |
|
Deny Access to File When There is No Cloudscan Result |
Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard. |
|
File Submission Options | ||
All Files Executed from Removable Media |
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis. |
|
All Files Executed from Mapped Network Drives |
Submit all files executed from mapped network drives. |
|
All Web Downloads |
Submit all web downloads. |
|
All Email Downloads |
Submit all email downloads. |
|
Exclude Files from Trusted Sources | Exclude files signed by trusted sources from cloud-based malware protection submission. FortiClient considers the file as from a trusted source if it is digitally signed with a valid certificate issued by a trusted CA. Enabling this feature may reduce false positives and speed up file analyses. | |
Remediation Actions | ||
Action |
Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious. |
Removable Media Access
Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.
FortiClient (macOS) and (Linux) only support the action configured for Default removable media access. FortiClient (macOS) and (Linux) do not support other removable media access rules received from EMS.
For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:
- Microsoft Windows Device Manager: select the device and view its properties.
- USBDeview
Options |
Description |
---|---|
Show bubble notifications |
Display a bubble notification when FortiClient takes action with a removable media device. |
Action |
Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:
|
Description |
Enter the desired rule description. |
Type |
Select Simple or Regular Expression for the rule type. When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions. When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions. |
Class |
Enter the device class. |
Manufacturer |
Enter the device manufacturer. |
Vendor ID |
Enter the device vendor ID. |
Product ID |
Enter the device product ID. |
Revision |
Enter the device revision number. |
Remove this rule |
Remove this rule from the profile. |
Add a new rule |
Add a new removable media access rule. |
Move this rule up/down |
Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device. |
Default removable media access |
Configure the action to take with removable media devices that do not match any configured rules. Available options are:
|
Exclusions
Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:
- Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
- Using wildcards to exclude all files with a specified extension, such as *.jrs
- Path variable %allusersprofile%
- Path variable %appdata%
- Path variable %localappdata%
- Path variable %systemroot%
- Path variable %systemdrive%
- Path variable %userprofile%
- Path variable %windir%
Combinations of wildcards and variables are supported.
Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.
Exclusion lists are case-sensitive. |
When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder). |
Options |
Description |
---|---|
Paths to Excluded Folders |
Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning. |
Paths to Excluded Files |
Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning. |
File Extensions Excluded from Real-Time Protection |
RTP skips scanning files with the specified extensions. |
File Extensions Excluded from On Demand Scanning |
On-demand AV protection skips scanning files with the specified extensions. |