Antivirus

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.

Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.

Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.

Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.

Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning

FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.

Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files

Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files

Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website