Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.2.1 EMS Administration Guide
    6.2.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Malware Protection

    Malware Protection

    The Malware Protection tab contains options for configuring AV, anti-exploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.

    Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

    Configure the following options:

    AntiVirus Protection

    Enable AV protection.

    Options

    Description

    General

    These settings apply to all AV protection.

    Block Known Communication Channels Used by Attackers

    Enable Command and Control (C&C) detection using IP reputation database signatures. Check network traffic against known C&C IP address plus port number combinations.

    Block Access to Malicious Websites

    Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.

    Security Risk

    Configure an action for the security risk site category by selecting one of the following:

    • Block
    • Warn
    • Allow
    • Monitor

    You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:

    • Dynamic DNS
    • Malicious Websites
    • Newly Observed Domain
    • Newly Registered Domain
    • Phishing
    • Spam URLs

    Use the Exclusion List Defined in the Web Filter Profile

    If this option is enabled, the exclusion list on the Web Filter tab is used. If this option is not enabled, you must define exclusions under Exclusions.

    Real-Time Protection

    Enable real-time protection (RTP).

    Action On Virus Discovery
    • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
    • Deny Access to Infected Files
    • Ignore Infected Files

    Alert When Viruses Are Detected

    Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

    Identify Malware and Exploits Using Signatures Received from FortiSandbox

    Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.

    Scan Compressed Files

    Scan archive files, including zip, rar, and tar files, for threats. Default file extensions are listed in RTP exclusions below.

    Max Size

    Only scan files under the specified size. To allow scanning compressed files of any size, enter 0.

    Scan Files Accessed by User Process

    Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

    • Scan Files When Processes Read or Write Them
    • Scan Files When Processes Read Them
    • Scan Files When Processes Write Them

    Scan Network Files

    Scan network files for threats when a user-initiated process accesses them.

    System Process Scanning

    Enable system process scanning. Select one of the following:

    • Scan Files When System Processes Read or Write Them
    • Scan Files When System Processes Read Them
    • Scan Files When System Processes Write Them
    • Do Not Scan Files When System Processes Read or Write Them

    On Demand Scanning

    Action On Virus Discovery

    Select one of the following from the dropdown list:

    • Warn the User If a Process Attempts to Access Infected Files
    • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
    • Ignore Infected Files

    Integrate FortiClient into Windows Explorer's Context Menu

    Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

    Pause Scanning When Running on Battery Power

    Pause scanning when the computer is running on battery power.

    Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

    Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

    Automatically Submit Suspicious Files to FortiGuard for Analysis

    Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

    Scan Compressed Files

    Scan archive files, including zip, rar, and tar files, for threats.

    Max Size

    Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0.

    Max Scan Speed on Computers With

    Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

    • 4 GB
    • 6 GB
    • 8 GB
    • 12 GB
    • 16 GB

    Scheduled Scan

    Enable scheduled scans.

    Schedule Type

    Select Daily, Weekly, or Monthly.

    Scan On

    If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

    Start At

    Configure the start time for the scheduled scan.

    Scan Type

    Select one of the following:

    • Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
    • Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
    • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive that will be scanned.

    Scan Priority

    Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

    Scan Removable Media

    Scan connected removable media, such as USB drives, for threats, if present.

    Scan Network Drives

    Scan attached or mounted network drives for threats.

    Enable Scheduled Scans Even When a Third-Party AV Product Is Present

    Enable scheduled scans even when a third party AV product is present.

    Anti-Exploit

    Enable anti-exploit engine to monitor commonly used applications for attempts to exploit known vulnerabilities.

    Options

    Description

    Show System Tray Notifications

    Show system tray notifications when anti-exploit engine detects an exploit.

    Application Exclusion List

    Exclude applications from anti-exploit detection.

    Cloud Based Malware Detection

    Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

    1. A high risk file is downloaded or executed on the endpoint.
    2. FortiClient generates a SHA1 checksum for the file.
    3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
    4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

    This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.

    Removable Media Access

    Control access to removable media devices, such as USB drives.

    Options

    Description

    Control removable media access

    Configure the action to take with removable media devices. Available options are:

    • Allow: Allow access to all removable media devices connected to the endpoint.
    • Block: Block access to all removable media devices connected to the endpoint.
    • Monitor: Log all removable media device connections to the endpoint.

    Show bubble notifications

    Display bubble notifications when FortiClient blocks removable media access.

    Exclusions

    Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:

    • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
    • Using wildcards to exclude all files with a specified extension, such as *.jrs
    • Path variable %windir%
    • Path variable %allusersprofile%
    • Path variable %systemroot%
    • Path variable %systemdrive%

    Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

    Options

    Description

    Paths to Excluded Folders

    Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.

    Paths to Excluded Files

    Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.

    File Extensions Excluded from Real-Time Protection

    RTP skips scanning files with the specified extensions.

    File Extensions Excluded from On Demand Scanning

    On-demand AV protection skips scanning files with the specified extensions.

    Other

    Options

    Description

    Scan for Rootkits

    Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.

    Scan for Adware

    Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

    Scan for Riskware

    Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

    Enable Advanced Heuristics

    Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.

    Scan Removable Media on Insertion

    Scan removable media (CDs, DVDs, Blu-ray disks, USB keys, etc.) on insertion.

    Scan Email

    Scan emails for threats with SMTP and POP3 protocols.

    Scan MIME Files (Inbox Files)

    Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.

    MIME is an Internet standard that extends the format of the email to support the following:

    • Text in character sets other than ASCII
    • Non text attachments (audio, video, images, applications)
    • Message bodies with multiple parts

    Enable FortiGuard Analytics

    Automatically sends suspicious files to FortiGuard for analysis.

    Notify Logged in Users if Their AV Signatures Expired

    Notify logged in users if their AV signatures expired.
    Previous
    Next

    Malware Protection

    Malware Protection

    The Malware Protection tab contains options for configuring AV, anti-exploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.

    Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

    Configure the following options:

    AntiVirus Protection

    Enable AV protection.

    Options

    Description

    General

    These settings apply to all AV protection.

    Block Known Communication Channels Used by Attackers

    Enable Command and Control (C&C) detection using IP reputation database signatures. Check network traffic against known C&C IP address plus port number combinations.

    Block Access to Malicious Websites

    Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.

    Security Risk

    Configure an action for the security risk site category by selecting one of the following:

    • Block
    • Warn
    • Allow
    • Monitor

    You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:

    • Dynamic DNS
    • Malicious Websites
    • Newly Observed Domain
    • Newly Registered Domain
    • Phishing
    • Spam URLs

    Use the Exclusion List Defined in the Web Filter Profile

    If this option is enabled, the exclusion list on the Web Filter tab is used. If this option is not enabled, you must define exclusions under Exclusions.

    Real-Time Protection

    Enable real-time protection (RTP).

    Action On Virus Discovery
    • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
    • Deny Access to Infected Files
    • Ignore Infected Files

    Alert When Viruses Are Detected

    Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

    Identify Malware and Exploits Using Signatures Received from FortiSandbox

    Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.

    Scan Compressed Files

    Scan archive files, including zip, rar, and tar files, for threats. Default file extensions are listed in RTP exclusions below.

    Max Size

    Only scan files under the specified size. To allow scanning compressed files of any size, enter 0.

    Scan Files Accessed by User Process

    Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

    • Scan Files When Processes Read or Write Them
    • Scan Files When Processes Read Them
    • Scan Files When Processes Write Them

    Scan Network Files

    Scan network files for threats when a user-initiated process accesses them.

    System Process Scanning

    Enable system process scanning. Select one of the following:

    • Scan Files When System Processes Read or Write Them
    • Scan Files When System Processes Read Them
    • Scan Files When System Processes Write Them
    • Do Not Scan Files When System Processes Read or Write Them

    On Demand Scanning

    Action On Virus Discovery

    Select one of the following from the dropdown list:

    • Warn the User If a Process Attempts to Access Infected Files
    • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
    • Ignore Infected Files

    Integrate FortiClient into Windows Explorer's Context Menu

    Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

    Pause Scanning When Running on Battery Power

    Pause scanning when the computer is running on battery power.

    Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

    Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

    Automatically Submit Suspicious Files to FortiGuard for Analysis

    Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

    Scan Compressed Files

    Scan archive files, including zip, rar, and tar files, for threats.

    Max Size

    Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0.

    Max Scan Speed on Computers With

    Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

    • 4 GB
    • 6 GB
    • 8 GB
    • 12 GB
    • 16 GB

    Scheduled Scan

    Enable scheduled scans.

    Schedule Type

    Select Daily, Weekly, or Monthly.

    Scan On

    If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

    Start At

    Configure the start time for the scheduled scan.

    Scan Type

    Select one of the following:

    • Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
    • Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
    • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive that will be scanned.

    Scan Priority

    Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

    Scan Removable Media

    Scan connected removable media, such as USB drives, for threats, if present.

    Scan Network Drives

    Scan attached or mounted network drives for threats.

    Enable Scheduled Scans Even When a Third-Party AV Product Is Present

    Enable scheduled scans even when a third party AV product is present.

    Anti-Exploit

    Enable anti-exploit engine to monitor commonly used applications for attempts to exploit known vulnerabilities.

    Options

    Description

    Show System Tray Notifications

    Show system tray notifications when anti-exploit engine detects an exploit.

    Application Exclusion List

    Exclude applications from anti-exploit detection.

    Cloud Based Malware Detection

    Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:

    1. A high risk file is downloaded or executed on the endpoint.
    2. FortiClient generates a SHA1 checksum for the file.
    3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
    4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.

    This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.

    Removable Media Access

    Control access to removable media devices, such as USB drives.

    Options

    Description

    Control removable media access

    Configure the action to take with removable media devices. Available options are:

    • Allow: Allow access to all removable media devices connected to the endpoint.
    • Block: Block access to all removable media devices connected to the endpoint.
    • Monitor: Log all removable media device connections to the endpoint.

    Show bubble notifications

    Display bubble notifications when FortiClient blocks removable media access.

    Exclusions

    Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:

    • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
    • Using wildcards to exclude all files with a specified extension, such as *.jrs
    • Path variable %windir%
    • Path variable %allusersprofile%
    • Path variable %systemroot%
    • Path variable %systemdrive%

    Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.

    Options

    Description

    Paths to Excluded Folders

    Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.

    Paths to Excluded Files

    Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.

    File Extensions Excluded from Real-Time Protection

    RTP skips scanning files with the specified extensions.

    File Extensions Excluded from On Demand Scanning

    On-demand AV protection skips scanning files with the specified extensions.

    Other

    Options

    Description

    Scan for Rootkits

    Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.

    Scan for Adware

    Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.

    Scan for Riskware

    Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.

    Enable Advanced Heuristics

    Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.

    Scan Removable Media on Insertion

    Scan removable media (CDs, DVDs, Blu-ray disks, USB keys, etc.) on insertion.

    Scan Email

    Scan emails for threats with SMTP and POP3 protocols.

    Scan MIME Files (Inbox Files)

    Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.

    MIME is an Internet standard that extends the format of the email to support the following:

    • Text in character sets other than ASCII
    • Non text attachments (audio, video, images, applications)
    • Message bodies with multiple parts

    Enable FortiGuard Analytics

    Automatically sends suspicious files to FortiGuard for analysis.

    Notify Logged in Users if Their AV Signatures Expired

    Notify logged in users if their AV signatures expired.
    Previous
    Next