Version:

Version:


Table of Contents

Download PDF
Copy Link

Malware Protection and Sandbox Detection enhancements 6.4.2

FortiClient and FortiClient EMS 6.4.2 add the following enhancements to Malware Protection and Sandbox Detection:

  • Anti-ransomware: new feature that helps detect any suspicious ransomware activity.
  • Antiexploit: enhancement that shields applications from attacks and improves security.
  • Sandbox Detection: enhancement to send files that exhibit unknown behavior from removable devices such as CDs to FortiSandbox.

Anti-ransomware

To configure antiransomware:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Anti-Ransomware.
  3. Under Protected Folders, click Add Folder and include the desired folders in anti-ransomware protection.
  4. In the Protected File Types field, enter the desired file types to include in anti-ransomware protection.
  5. From the Action dropdown list, select the desired action.
  6. In the Action Timeout field, enter the desired timeout value in seconds.
  7. Click Save.

In this example, after the EMS administrator configures antiransomware protection and the configuration is synced to the FortiClient endpoint, the Desuencrypt tool is used to simulate the encryption of files in a folder. After Desuencrypt starts the encryption process, FortiClient shows a popup that it detected ransomware activity.

If you select Yes, FortiClient terminates the encryption process.

If you do not select an option in the popup, FortiClient waits for the default action timeout and proceeds with whichever of the following actions is configured:

  • Block access and warn the user if suspicious activity is detected
  • Warn the user and resume after the timeout

Antiexploit

The antiexploit feature monitors commonly used applications for attempts to exploit unknown vulnerabilities.

To configure antiexploit:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Real-Time Protection and Anti-Exploit. You must enable Real-Time Protection for the Anti-Exploit feature to function.
  3. Click Save.

In this example, after the EMS administrator configures antiexploit and the configuration is synced to the FortiClient endpoint, Microsoft Word 2007 macros are used to simulate an exploit. Once the macro is executed, FortiClient detects the exploit with a popup and terminates it.

Sandbox Detection

Sandbox Detection allows file submission options from removable devices.

To configure Sandbox Detection submission options from removable devices:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Sandbox tab, under Server, configure connection to Sandbox Cloud or a Sandbox appliance.
  3. Under File Submission Options, enable All Files Executed from Removable Media.
  4. Click Save.

In this example, after the EMS administrator configures this feature and the configuration is synced to the FortiClient endpoint, a removable CD-ROM with malicious folders is connected to the endpoint. The user attempts to copy the folders from the CD-ROM to a local folder. FortiClient displays a popup and submits the folder to Sandbox Cloud.

Malware Protection and Sandbox Detection enhancements 6.4.2

FortiClient and FortiClient EMS 6.4.2 add the following enhancements to Malware Protection and Sandbox Detection:

  • Anti-ransomware: new feature that helps detect any suspicious ransomware activity.
  • Antiexploit: enhancement that shields applications from attacks and improves security.
  • Sandbox Detection: enhancement to send files that exhibit unknown behavior from removable devices such as CDs to FortiSandbox.

Anti-ransomware

To configure antiransomware:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Anti-Ransomware.
  3. Under Protected Folders, click Add Folder and include the desired folders in anti-ransomware protection.
  4. In the Protected File Types field, enter the desired file types to include in anti-ransomware protection.
  5. From the Action dropdown list, select the desired action.
  6. In the Action Timeout field, enter the desired timeout value in seconds.
  7. Click Save.

In this example, after the EMS administrator configures antiransomware protection and the configuration is synced to the FortiClient endpoint, the Desuencrypt tool is used to simulate the encryption of files in a folder. After Desuencrypt starts the encryption process, FortiClient shows a popup that it detected ransomware activity.

If you select Yes, FortiClient terminates the encryption process.

If you do not select an option in the popup, FortiClient waits for the default action timeout and proceeds with whichever of the following actions is configured:

  • Block access and warn the user if suspicious activity is detected
  • Warn the user and resume after the timeout

Antiexploit

The antiexploit feature monitors commonly used applications for attempts to exploit unknown vulnerabilities.

To configure antiexploit:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Real-Time Protection and Anti-Exploit. You must enable Real-Time Protection for the Anti-Exploit feature to function.
  3. Click Save.

In this example, after the EMS administrator configures antiexploit and the configuration is synced to the FortiClient endpoint, Microsoft Word 2007 macros are used to simulate an exploit. Once the macro is executed, FortiClient detects the exploit with a popup and terminates it.

Sandbox Detection

Sandbox Detection allows file submission options from removable devices.

To configure Sandbox Detection submission options from removable devices:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Sandbox tab, under Server, configure connection to Sandbox Cloud or a Sandbox appliance.
  3. Under File Submission Options, enable All Files Executed from Removable Media.
  4. Click Save.

In this example, after the EMS administrator configures this feature and the configuration is synced to the FortiClient endpoint, a removable CD-ROM with malicious folders is connected to the endpoint. The user attempts to copy the folders from the CD-ROM to a local folder. FortiClient displays a popup and submits the folder to Sandbox Cloud.