Fortinet black logo

New Features

Home FortiClient 7.0.0 New Features
7.0.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

FDS update support for antiransomware behavior rules 7.0.3

FDS update support for antiransomware behavior rules 7.0.3

FortiClient adds FortiGuard Distribution Server (FDS) support for updates to the antiransomware engine and rules update, as is already the case for antivirus. FortiClient has supported ransomware detection since 6.4.2. Prior to this enhancement, updates in technique or detection rules were not applied until the next FortiClient patch release, which could take months.

This enhancement keeps all users' antiransomware engines/signatures updated without a new patch update using FDS. Consider that all users are connected to the corporate FDS. When Fortinet creates a new antiransomware engine/signature and uploads it to FDS, all users receive the updated antiransomware engine/signature.

Note

Updated antiransomware engine/signature versions depend on the FortiClient firmware version. FortiClient implements different engine updates for different versions.
To check engine/signature version on the endpoint:
  1. After a fresh install of FortiClient, go to C:\Program Files\Fortinet\FortiClient.
  2. Right-click the RsEngineCore.dll file, then select Properties.

  3. On the Details tab, confirm the Product version. This is the antiransomware engine version, which should be the same as the installed version of FortiClient.

  4. Register FortiClient to EMS.
  5. On the About page, confirm the antiransomware engine version. This should be the same as the version from step 3.

  6. After Fortinet uploads a new engine/signature to FDS, you can verify that FortiClient received the update by repeating the previous steps to check the versions in the RsEngineCore.dll file and on the FortiClient About page.
To check engine/signature version on EMS:
  1. In EMS, go to Endpoints > All Endpoints.
  2. Select the desired endpoint to view its details. Under Features, EMS displays the endpoint's antiransomware engine version.

  3. Go to System Settings > FortiGuard Services > View Signature List to verify the antiransomware engine and signature version.
To view antiransomware events on the EMS:
  1. The antiransomware feature stops and quarantines detected ransomware and restores the encrypted files to the backup folder at C:\Program Files\Fortinet\FortiClient\backup. These events are logged locally on the FortiClient. FortiClient sends the events to EMS. On EMS, go to Endpoints > All Endpoints.
  2. Select the desired endpoint.
  3. Go to the Anti-Ransomware Events tab. All detected ransomware events display.
  4. Go to the File Recovery and File Quarantine tabs to view recovered and quarantined files, respectively.

Previous
Next

FDS update support for antiransomware behavior rules 7.0.3

FortiClient adds FortiGuard Distribution Server (FDS) support for updates to the antiransomware engine and rules update, as is already the case for antivirus. FortiClient has supported ransomware detection since 6.4.2. Prior to this enhancement, updates in technique or detection rules were not applied until the next FortiClient patch release, which could take months.

This enhancement keeps all users' antiransomware engines/signatures updated without a new patch update using FDS. Consider that all users are connected to the corporate FDS. When Fortinet creates a new antiransomware engine/signature and uploads it to FDS, all users receive the updated antiransomware engine/signature.

Note

Updated antiransomware engine/signature versions depend on the FortiClient firmware version. FortiClient implements different engine updates for different versions.
To check engine/signature version on the endpoint:
  1. After a fresh install of FortiClient, go to C:\Program Files\Fortinet\FortiClient.
  2. Right-click the RsEngineCore.dll file, then select Properties.

  3. On the Details tab, confirm the Product version. This is the antiransomware engine version, which should be the same as the installed version of FortiClient.

  4. Register FortiClient to EMS.
  5. On the About page, confirm the antiransomware engine version. This should be the same as the version from step 3.

  6. After Fortinet uploads a new engine/signature to FDS, you can verify that FortiClient received the update by repeating the previous steps to check the versions in the RsEngineCore.dll file and on the FortiClient About page.
To check engine/signature version on EMS:
  1. In EMS, go to Endpoints > All Endpoints.
  2. Select the desired endpoint to view its details. Under Features, EMS displays the endpoint's antiransomware engine version.

  3. Go to System Settings > FortiGuard Services > View Signature List to verify the antiransomware engine and signature version.
To view antiransomware events on the EMS:
  1. The antiransomware feature stops and quarantines detected ransomware and restores the encrypted files to the backup folder at C:\Program Files\Fortinet\FortiClient\backup. These events are logged locally on the FortiClient. FortiClient sends the events to EMS. On EMS, go to Endpoints > All Endpoints.
  2. Select the desired endpoint.
  3. Go to the Anti-Ransomware Events tab. All detected ransomware events display.
  4. Go to the File Recovery and File Quarantine tabs to view recovered and quarantined files, respectively.

Previous
Next