Fortinet black logo

Anti-ransomware

Anti-ransomware

The following lists anti-ransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for anti-ransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable anti-ransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:

  • 1: terminate ransomware behavior
  • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient anti-ransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.

Anti-ransomware

The following lists anti-ransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for anti-ransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable anti-ransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:

  • 1: terminate ransomware behavior
  • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient anti-ransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.