Malware Protection
The Malware Protection tab contains options for configuring AV, antiransomware, antiexploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.
Only features that FortiClient EMS is licensed for are available for configuration. For example, if you have only applied the ZTNA license, you can only enable and configure the Removable Media Access section. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.
Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Configure the following options:
- AntiVirus Protection
- Anti-Ransomware
- Anti-Exploit
- Cloud Based Malware Detection
- Removable Media Access
- Exclusions
- Other
AntiVirus Protection
Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.
Options |
Description |
|
---|---|---|
General |
These settings apply to all AV protection. |
|
Block Known Communication Channels Used by Attackers |
Enable Command and Control (C&C) detection using IP reputation database signatures. Check network traffic against known C&C IP address plus port number combinations. |
|
Block Access to Malicious Websites |
Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option. If you are syncing the profile's Web Filter settings from a Web Filter profile imported from FortiOS or FortiManager, you cannot configure actions for the security risk site categories in EMS. EMS synchronizes these settings from the FortiOS or FortiManager Web Filter profile. See Web Filter. |
|
|
Security Risk |
Configure an action for the security risk site category by selecting one of the following:
You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:
|
|
Use the Exclusion List Defined in the Web Filter Profile |
If you enable this option, EMS uses the exclusion list on the Web Filter tab. If you disable this option, you must define exclusions under Exclusions. |
Delete Malware Files After |
Enter the number of days after which to delete malware files from the client. |
|
Real-Time Protection |
Enable real-time protection (RTP). |
|
Action On Virus Discovery |
|
|
Alert When Viruses Are Detected |
Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses. |
|
Identify Malware and Exploits Using Signatures Received from FortiSandbox |
Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures. |
|
Scan Compressed Files |
Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions. |
|
|
Max Size |
Only scan files under the specified size. To allow scanning compressed files of any size, enter 0. |
Scan Files Accessed by User Process |
Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:
|
|
|
Scan Network Files |
Scan network files for threats when a user-initiated process accesses them. |
System Process Scanning |
Enable system process scanning. Select one of the following:
|
|
Enable Windows Antimalware Scan Interface |
Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:
|
|
Enable Machine Learning Analysis |
Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:
|
|
On Demand Scanning |
|
|
Action On Virus Discovery |
Select one of the following from the dropdown list:
|
|
Integrate FortiClient into Windows Explorer's Context Menu |
Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu. |
|
|
Hide AV Scan from Windows Explorer's Context Menu |
Hide AV scan option from Windows Explorer's context menu. |
|
Hide AV Analyse from Windows Explorer's Context Menu |
Hide option to submit file for AV analysis from Windows Explorer's context menu. |
Pause Scanning When Running on Battery Power |
Pause scanning when the computer is running on battery power. |
|
Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console |
Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting. |
|
Automatically Submit Suspicious Files to FortiGuard for Analysis. |
Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious. |
|
Scan Compressed Files |
Scan archive files, including zip, rar, and tar files, for threats. |
|
|
Max Size |
Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0. |
Max Scan Speed on Computers With |
Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:
|
|
Enable Machine Learning Analysis |
Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:
|
|
Scheduled Scan |
Enable scheduled scans. |
|
Schedule Type |
Select Daily, Weekly, or Monthly. |
|
Scan On |
If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days. |
|
Start At |
Configure the start time for the scheduled scan. |
|
Scan Type |
Select one of the following:
|
|
Scan Priority |
Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes. |
|
Scan Removable Media |
Scan connected removable media, such as USB drives, for threats, if present. |
|
Scan Network Drives |
Scan attached or mounted network drives for threats. |
|
Enable Scheduled Scans Even When a Third-Party AV Product Is Present |
Enable scheduled scans even when a third party AV product is present. |
Anti-Ransomware
Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes.
Options |
Description |
---|---|
Protected Folders |
Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button. |
Protected File Types |
Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt , as opposed to .txt . |
Action |
When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process:
|
Action Timeout |
Enter the desired timeout value. |
Anti-Exploit
Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the Anti-Exploit feature to function.
Cloud-Based Malware Detection
Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:
- A high risk file is downloaded or executed on the endpoint.
- FortiClient generates a SHA1 checksum for the file.
- FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
- If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.
Options |
Description |
|
---|---|---|
Server | ||
Wait for Cloudscan Results before Allowing File Access |
Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds. |
|
Deny Access to File When There is No Cloudscan Result |
Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard. |
|
File Submission Options | ||
All Files Executed from Removable Media |
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis. |
|
All Files Executed from Mapped Network Drives |
Submit all files executed from mapped network drives. |
|
All Web Downloads |
Submit all web downloads. |
|
All Email Downloads |
Submit all email downloads. |
|
Exclude Files from Trusted Sources | Exclude files signed by trusted sources from cloud-based malware protection submission. | |
Remediation Actions | ||
Action |
Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious. |
Removable Media Access
Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.
For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:
- Microsoft Windows Device Manager: select the device and view its properties.
- USBDeview
Options |
Description |
---|---|
Show bubble notifications |
Display a bubble notification when FortiClient takes action with a removable media device. |
Action |
Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:
|
Description |
Enter the desired rule description. |
Type |
Select Simple or Regular Expression for the rule type. When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions. When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions. |
Class |
Enter the device class. |
Manufacturer |
Enter the device manufacturer. |
Vendor ID |
Enter the device vendor ID. |
Product ID |
Enter the device product ID. |
Revision |
Enter the device revision number. |
Remove this rule |
Remove this rule from the profile. |
Add a new rule |
Add a new removable media access rule. |
Move this rule up/down |
Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device. |
Default removable media access |
Configure the action to take with removable media devices that do not match any configured rules. Available options are:
|
Exclusions
Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:
- Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
- Using wildcards to exclude all files with a specified extension, such as *.jrs
- Path variable %allusersprofile%
- Path variable %appdata%
- Path variable %localappdata%
- Path variable %systemroot%
- Path variable %systemdrive%
- Path variable %userprofile%
- Path variable %windir%
Combinations of wildcards and variables are not supported.
Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.
Exclusion lists are case-sensitive. |
When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder). |
Options |
Description |
---|---|
Paths to Excluded Folders |
Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning. |
Paths to Excluded Files |
Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning. |
File Extensions Excluded from Real-Time Protection |
RTP skips scanning files with the specified extensions. |
File Extensions Excluded from On Demand Scanning |
On-demand AV protection skips scanning files with the specified extensions. |