Fortinet black logo

Anti-ransomware

Anti-ransomware

The following lists anti-ransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<enable_backup>1</enable_backup>

<backup_interval>1</backup_interval>

<backup_file_size_limit>1</backup_file_size_limit>

<backup_disk_quota>10</backup_disk_quota>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for anti-ransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable anti-ransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:

  • 1: terminate ransomware behavior
  • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<enable_backup>

Enable FortiClient to restore files that were encrypted by the detected ransomware after detecting ransomware behavior on the endpoint

Boolean value: [0 | 1]

0

<backup_interval>

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.

<backup_file_size_limit>

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

<backup_disk_quota>

Enter the desired backup disk quota value as a percentage of free disk space.

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient anti-ransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.

Anti-ransomware

The following lists anti-ransomware attributes:

<forticlient_configuration>

<rs_protection>

<enabled>1</enabled>

<default_action>1</default_action>

<bypass_valid_signer>1<\bypass_valid_signer>

<default_action_timeout>5</default_action_timeout>

<enable_backup>1</enable_backup>

<backup_interval>1</backup_interval>

<backup_file_size_limit>1</backup_file_size_limit>

<backup_disk_quota>10</backup_disk_quota>

<use_custom_file_extensions>1</use_custom_file_extensions>

<custom_extensions>cmd,csv,dll,dmg,docm,docx,dot,dotm,dotx,elf,eml,exe,gz,iqy,iso,jar,jse,msi,pdf,pot,potm,potx,ppam,pps,ppsm,ppsx,ppt,pptm,pptx,ps1,rar,rtf,tar,thmx,xlam,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,xz,z,zip</custom_extensions>

<protections>

<folders>

<folder>C:\Users\%USERNAME%\Documents\</folder>

<folder>C:\Users\%USERNAME%\Pictures\</folder>

<folder>C:\Users\%USERNAME%\Videos\</folder>

<folder>C:\Users\%USERNAME%\Music\</folder>

<folder>C:\Users\%USERNAME%\Desktop\</folder>

<folder>C:\Users\%USERNAME%\Favorites\</folder>

<folder>C:\ransome</folder>

</folders>

</protections>

</rs_protection>

</forticlient_configuration>

The following table provides the XML tags for anti-ransomware detection, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable anti-ransomware detection to protect specific files, folders, or file types on your endpoints from unauthorized changes.

Boolean value: [0 | 1]

<default_action>

When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process: If the user selects Yes, FortiClient terminates the suspicious process. If the user selects No, FortiClient allows the process to continue. If the user does not select an option, FortiClient waits for the configured action timeout, then does one of the following, as configured:

  • 1: terminate ransomware behavior
  • 2: FortiClient allows the process to continue and monitors it.

<bypass_valid_signer>

Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.

Boolean value: [0 | 1]

<default_action_timeout>

Enter the desired timeout value in seconds.

120

<enable_backup>

Enable FortiClient to restore files that were encrypted by the detected ransomware after detecting ransomware behavior on the endpoint

Boolean value: [0 | 1]

0

<backup_interval>

Enter the desired backup interval value in hours. FortiClient backs up files in protected folders that were last modified at a time that is longer ago than the backup interval value. The backup only occurs when the files will be modified.

<backup_file_size_limit>

Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up. The size limit refers to the original file size, not the size limit after encryption.

<backup_disk_quota>

Enter the desired backup disk quota value as a percentage of free disk space.

<use_custom_file_extensions>

Enable FortiClient to protect a customized list of file extension types.

Boolean value: [0 | 1]

<custom_extensions>

Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.

<protections><folders><folder>

Enter the desired file directories for FortiClient anti-ransomware to protect. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes.