Fortinet black logo

EMS Administration Guide

Home FortiClient 7.0.0 EMS Administration Guide
7.0.0
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.9
6.4.8
6.4.7
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.9
6.2.8
6.2.7
6.2.6
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.8
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0

AntiVirus Protection

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options

Description

General

These settings apply to all AV protection.

Block Known Communication Channels Used by Attackers

Enable Command and Control (C&C) detection using IP address reputation database signatures. Check network traffic against known C&C IP address plus port number combinations.

Block Access to Malicious Websites

Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.

If you are syncing the profile's Web Filter settings from a Web Filter profile imported from FortiOS or FortiManager, you cannot configure actions for the security risk site categories in EMS. EMS synchronizes these settings from the FortiOS or FortiManager Web Filter profile. See Web Filter.

Security Risk

Configure an action for the security risk site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs

Use the Exclusion List Defined in the Web Filter Profile

If you enable this option, EMS uses the exclusion list on the Web Filter tab. If you disable this option, you must define exclusions under Exclusions.

Delete Malware Files After

Enter the number of days after which to delete malware files from the client.

Real-Time Protection

Enable real-time protection (RTP).

Action On Virus Discovery
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Deny Access to Infected Files
  • Ignore Infected Files

Alert When Viruses Are Detected

Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Identify Malware and Exploits Using Signatures Received from FortiSandbox

Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if you enable Sandbox Detection. Enter the number of minutes after which to update signatures.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.

Max Size

Only scan files under the specified size. To allow scanning compressed files of any size, enter 0.

Scan Files Accessed by User Process

Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

  • Scan Files When Processes Read or Write Them
  • Scan Files When Processes Read Them
  • Scan Files When Processes Write Them

Scan Network Files

Scan network files for threats when a user-initiated process accesses them.

System Process Scanning

Enable system process scanning. Select one of the following:

  • Scan Files When System Processes Read or Write Them
  • Scan Files When System Processes Read Them
  • Scan Files When System Processes Write Them
  • Do Not Scan Files When System Processes Read or Write Them

Enable Windows Antimalware Scan Interface

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

On Demand Scanning

Action On Virus Discovery

Select one of the following from the dropdown list:

  • Warn the User If a Process Attempts to Access Infected Files
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Ignore Infected Files

Integrate FortiClient into Windows Explorer's Context Menu

Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

Hide AV Scan from Windows Explorer's Context Menu

Hide AV scan option from Windows Explorer's context menu.

Hide AV Analyse from Windows Explorer's Context Menu

Hide option to submit file for AV analysis from Windows Explorer's context menu.

Pause Scanning When Running on Battery Power

Pause scanning when the computer is running on battery power.

Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

Automatically Submit Suspicious Files to FortiGuard for Analysis.

Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats.

Max Size

Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0.

Max Scan Speed on Computers With

Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

  • 4 GB
  • 6 GB
  • 8 GB
  • 12 GB
  • 16 GB

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Scheduled Scan

Enable scheduled scans.

Schedule Type

Select Daily, Weekly, or Monthly.

Scan On

If you selected Weekly, select the day of the week to perform the scan. If you selected Monthly, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

Start At

Configure the start time for the scheduled scan.

Scan Type

Select one of the following:

  • Quick: runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
  • Full: runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
  • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.

Scan Priority

Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

Scan Removable Media

Scan connected removable media, such as USB drives, for threats, if present.

Scan Network Drives

Scan attached or mounted network drives for threats.

Enable Scheduled Scans Even When a Third-Party AV Product Is Present

Enable scheduled scans even when a third party AV product is present.
Previous
Next

AntiVirus Protection

Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.

Options

Description

General

These settings apply to all AV protection.

Block Known Communication Channels Used by Attackers

Enable Command and Control (C&C) detection using IP address reputation database signatures. Check network traffic against known C&C IP address plus port number combinations.

Block Access to Malicious Websites

Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.

If you are syncing the profile's Web Filter settings from a Web Filter profile imported from FortiOS or FortiManager, you cannot configure actions for the security risk site categories in EMS. EMS synchronizes these settings from the FortiOS or FortiManager Web Filter profile. See Web Filter.

Security Risk

Configure an action for the security risk site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs

Use the Exclusion List Defined in the Web Filter Profile

If you enable this option, EMS uses the exclusion list on the Web Filter tab. If you disable this option, you must define exclusions under Exclusions.

Delete Malware Files After

Enter the number of days after which to delete malware files from the client.

Real-Time Protection

Enable real-time protection (RTP).

Action On Virus Discovery
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Deny Access to Infected Files
  • Ignore Infected Files

Alert When Viruses Are Detected

Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Identify Malware and Exploits Using Signatures Received from FortiSandbox

Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if you enable Sandbox Detection. Enter the number of minutes after which to update signatures.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.

Max Size

Only scan files under the specified size. To allow scanning compressed files of any size, enter 0.

Scan Files Accessed by User Process

Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:

  • Scan Files When Processes Read or Write Them
  • Scan Files When Processes Read Them
  • Scan Files When Processes Write Them

Scan Network Files

Scan network files for threats when a user-initiated process accesses them.

System Process Scanning

Enable system process scanning. Select one of the following:

  • Scan Files When System Processes Read or Write Them
  • Scan Files When System Processes Read Them
  • Scan Files When System Processes Write Them
  • Do Not Scan Files When System Processes Read or Write Them

Enable Windows Antimalware Scan Interface

Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:

  • User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
  • PowerShell (scripts, interactive use, and dynamic code evaluation)
  • Windows Script Host (wscript.exe and script.exe)
  • JavaScript and VBScript
  • Office VBA macros

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

On Demand Scanning

Action On Virus Discovery

Select one of the following from the dropdown list:

  • Warn the User If a Process Attempts to Access Infected Files
  • Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
  • Ignore Infected Files

Integrate FortiClient into Windows Explorer's Context Menu

Adds a Scan with FortiClient AntiVirus option to the Windows Explorer right-click menu.

Hide AV Scan from Windows Explorer's Context Menu

Hide AV scan option from Windows Explorer's context menu.

Hide AV Analyse from Windows Explorer's Context Menu

Hide option to submit file for AV analysis from Windows Explorer's context menu.

Pause Scanning When Running on Battery Power

Pause scanning when the computer is running on battery power.

Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console

Control whether the local administrator can stop a scheduled or on-demand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.

Automatically Submit Suspicious Files to FortiGuard for Analysis.

Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.

Scan Compressed Files

Scan archive files, including zip, rar, and tar files, for threats.

Max Size

Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0.

Max Scan Speed on Computers With

Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:

  • 4 GB
  • 6 GB
  • 8 GB
  • 12 GB
  • 16 GB

Enable Machine Learning Analysis

Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less ML-based advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.

From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:

  • Log detection and warn the User: detect the sample, display a warning message, and log the activity.
  • Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.

Scheduled Scan

Enable scheduled scans.

Schedule Type

Select Daily, Weekly, or Monthly.

Scan On

If you selected Weekly, select the day of the week to perform the scan. If you selected Monthly, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.

Start At

Configure the start time for the scheduled scan.

Scan Type

Select one of the following:

  • Quick: runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats.
  • Full: runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
  • Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.

Scan Priority

Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.

Scan Removable Media

Scan connected removable media, such as USB drives, for threats, if present.

Scan Network Drives

Scan attached or mounted network drives for threats.

Enable Scheduled Scans Even When a Third-Party AV Product Is Present

Enable scheduled scans even when a third party AV product is present.
Previous
Next