FortiClient 6.0.0 (Windows)

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,797
First many thanks for all the get started information with this software. It's good.

Question about the web filter. The filter settings are standard category based operators. Does FortiClient, however, send all connection attempts to Fortinet to run them by a black list, or are the categories the protection?

yeah, I have a few questions and needed tweaks re the webfilter too :oops: I was looking for something to do this weekend anyway. :rolleyes:
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
yeah, I have a few questions and needed tweaks re the webfilter too :oops: I was looking for something to do this weekend anyway. :rolleyes:
Fortinet's documentation is pretty good, you can have a look at it:
https://docs.fortinet.com/forticlient/admin-guides
https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference
A very useful under-the-hood setting is <popup_registry_alerts>0</popup_registry_alerts>. If you set it to 1, FortiClient displays alerts if a process tries to change registry start items.

First results on hub not so promising compared to others.
Everyone here said FortiClient shouldn't be tested alone, but at least with SysHardened (if not with OSArmor). It would be nice if @MoriartyOW could make some tests with FC + SH (as @Evjl's Rain usually does with Avast).
I think SH would have picked the missed samples of this test https://malwaretips.com/threads/30-08-2018-21.86368/ and the setting I wrote above should have prevented the items set on startup (you can see them in Autoruns and Process Explorer)
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Fortinet's documentation is pretty good, you can have a look at it:
https://docs.fortinet.com/forticlient/admin-guides
https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference
A very useful under-the-hood setting is <popup_registry_alerts>0</popup_registry_alerts>. If you set it to 1, FortiClient displays alerts if a process tries to change registry start items.


Everyone here said FortiClient shouldn't be tested alone, but at least with SysHardened (if not with OSArmor). It would be nice if @MoriartyOW could make some tests with FC + SH (as @Evjl's Rain usually does with Avast).
I think SH would have picked the missed samples of this test https://malwaretips.com/threads/30-08-2018-21.86368/ and the setting I wrote above should have prevented the items set on startup (you can see them in Autoruns and Process Explorer)
I did some tests of forticlient with default and tweaked settings following ForgottenSeer 58943's guide
https://malwaretips.com/threads/mixed-threats-16-02-2018-20.79975/#post-711851
https://malwaretips.com/threads/12-2-2018-18.79838/#post-711224
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/#post-710676

if you consider testing forticlient with SH, you can also read in these tests. Let's assume we use SH => all script malwares will be ignored. Forticlient only has to deal with .exe malwares. Still, due to a lack of BB, forticlient won't manage to pass these tests
for example, this sample
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/post-710676
绝地求生外挂1.1.exe: opened cmd -> pressed any key to continue -> ran for a while and I closed it -> 10 seconds later, windows wanted to shutdown automatically -> clicked "close" and rebooted -> a new user account was created and both user accounts were protected by a password -> system was no longer usable
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
I did some tests of forticlient with default and tweaked settings following ForgottenSeer 58943's guide
https://malwaretips.com/threads/mixed-threats-16-02-2018-20.79975/#post-711851
https://malwaretips.com/threads/12-2-2018-18.79838/#post-711224
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/#post-710676

if you consider testing forticlient with SH, you can also read in these tests. Let's assume we use SH => all script malwares will be ignored. Forticlient only has to deal with .exe malwares. Still, due to a lack of BB, forticlient won't manage to pass these tests
for example, this sample
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/post-710676
Yeah, Avast is superior in that regard because of Hardened Mode.
That's why I use FC + SH + OSA ;)

EDIT: you tested FC v.5, it would be nice if you could test v.6 too :)
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Yeah, Avast is superior in that regard because of Hardened Mode.
That's why I use FC + SH + OSA ;)

EDIT: you tested FC v.5, it would be nice if you could test v.6 too :)
hope someone will test it because I quit testing for a while
some people never believe my tests so a different person will do it better
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I've been using Forticlient 6 for a while and I really like it :)
Yesterday I checked the conf file and I found out that both use_extreme_db and use_sandbox_signatures were ON by default.
I only had to enable heuristic and antirootkit scanning (default: <antirootkit>0</antirootkit>)

@imuade is this a simple 0 to 1 toggle for each antirootkit and heuristic?

Can someone point to a list of these toggle's? I saw @ForgottenSeer 58943's toggles earlier in the thread and imuade's registry toggle.

@Evjl's Rain I looked in Resources but didn't see anything for FortiClient. Does ForgottenSeer 58943 have a config thread up for it someplace?
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
@imuade is this a simple 0 to 1 toggle for each antirootkit and heuristic?

Can someone point to a list of these toggle's? I saw @ForgottenSeer 58943's toggles earlier in the thread and imuade's registry toggle.

@Evjl's Rain I looked in Resources but didn't see anything for FortiClient. Does ForgottenSeer 58943 have a config thread up for it someplace?
<heuristic_scanning>
<level>0</level>
Change 0 with 2 or 3

<use_extreme_db>0</use_extreme_db>
Change 0 with 1

<use_sandbox_signatures>0</use_sandbox_signatures>
Change 0 with 1

<antirootkit>0</antirootkit>
Change 0 with 4294947295

<popup_registry_alerts>0</popup_registry_alerts>
Change 0 with 1

Here you can see the details of tuning the .conf (XML) file https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
@imuade, thankyou for taking the time to put it all in one place @Evjl's Rain, thanks for the link.

:)

EDIT. Looks like I may have made a mistake with the heuristic scanning setting the first time. Think I set the <action>3</action> toggle instead. Is this supposed to be at 0? Thx

NM: I see in the xml reference (great btw :) ). O is the setting for <heuristic> -> <action>*<action> to see the alert. I had it set to send the file to the cloud I believe Maybe I configured that way in the GUI...seems I recall a setting someplace about that...

Just for the anyone reading. Some of the settings are in the xml more than one time. You can safely change all the ones by the same name, for example: for <heuristic scanning> Real-time and On-demand. Find will take you quickly through to all of the settings.
 
Last edited:

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
@imuade, thankyou for taking the time to put it all in one place @Evjl's Rain, thanks for the link.

:)

EDIT. Looks like I may have made a mistake with the heuristic scanning setting the first time. Think I set the <action>3</action> toggle instead. Is this supposed to be at 0? Thx
No problem :)

By default it is:
<heuristic_scanning>
<level>0</level>
<action>0</action>
</heuristic_scanning>

Changing "level" from 0 to 1, 2, 3 or 4 will turn heuristic ON (1 means low heuristic, 4 means high heuristic)
Changing "action" from 0 to 1 or 3 will change what FC does if heuristic finds a maware (0: warning; 1: deny access; 3: submit only)

If you can't fall asleep at night, try to read this https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference :ROFLMAO::ROFLMAO::ROFLMAO:
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
Yes, the pdf and @ForgottenSeer 58943's options via @Evjl's Rain's link could keep me occupied for some time. Maybe someone will come up with the magic pill config down the line somewhere LOL and RLOL. I make me nervous when I get into XML Can't wait for the system to autoformat on boot or something :alien:...
:ROFLMAO::ROFLMAO::ROFLMAO:
Don't worry, if you make a mistake in the XML file, you won't be able to restore it, FC will give you an error ;)
 

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
I did some tests of forticlient with default and tweaked settings following ForgottenSeer 58943's guide
https://malwaretips.com/threads/mixed-threats-16-02-2018-20.79975/#post-711851
https://malwaretips.com/threads/12-2-2018-18.79838/#post-711224
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/#post-710676

if you consider testing forticlient with SH, you can also read in these tests. Let's assume we use SH => all script malwares will be ignored. Forticlient only has to deal with .exe malwares. Still, due to a lack of BB, forticlient won't manage to pass these tests
for example, this sample
https://malwaretips.com/threads/mixed-threats-09-02-2018-15.79759/post-710676
I thing only with voodooshield or comodo fw is good the protection
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,711
I used before one year forticlient near 3 months. The most secure combo for forticlient after my tests is comodo fw. I am not a great tester but without any protection like hips or BB i trust only comodo sanbox.Is just my opinion. And the other is i don t like combos with many products because sure create compatibility problems and system delays. For me best combos for now is Kaspersky free + osarmor, Avast free + syshardener. And my combo is not good for many persons. But i have never infection at my system is 360TS + osarmor + voodooshield. I activate voodooshield only if play unsafe with virus and cracks. Sorry about my english is google translator

Please do not apologize for your English. It is good enough that I think most people understand your posts just fine! :) Yes, VS is very good. Especially now with new security postures, it provides many options. I think VS is a keeper. Oh, yes, I now have a lifetime license that I intend to keep using. Cannot imagine life without it. (y)
 

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
Please do not apologize for your English. It is good enough that I think most people understand your posts just fine! :) Yes, VS is very good. Especially now with new security postures, it provides many options. I think VS is a keeper. Oh, yes, I now have a lifetime license that I intend to keep using. Cannot imagine life without it. (y)
Realy is very good program. I test my love(360TS) with free voodooshield (malwares come from Greece) results perfect. And my friend
AtlBo try and try with FC. :):)
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,711
hope someone will test it because I quit testing for a while
some people never believe my tests so a different person will do it better

Who cares what people say? Useful critique, yes - if it's truly helpful. Otherwise, forget it. Your tests are your tests and people can take them or leave them! May EVjl always Reign! (y)
 
F

ForgottenSeer 58943

ER tested an older version of FortiClient. I think CS tested a much newer FortiClient (but not 6.0.1) and it performed quite well, except with on-boot infections. CS declared FortiClient in the top tier along with products like ESET. However there was a major flaw in CS's test in that CS forgot to enable exploit protection which is a major protection component not functioning that launches before FortiClient proper so it might actually have passed the test.



Even so, without the adjunct technologies/hardware backing it up such as the FortiSandbox, you'd be wise to pair it with a solution like VoodooShield, OSArmor, Syshardener, etc. FortiClient and VoodooShield Free make a wonderful hardened combination for free that is actually very popular in some circles. FortiClient 6.5 is due out in a few weeks and should offer some interesting improvements.

FortiClient has 3 operational methods.

1) Vanilla, Freestanding - free version, no adjunct technologies.
2) FortiGate controlled - notched above free standing, allowing integration with FortiGuard+FortiSandbox, some endpoint control.
3) EMS - management portal for FortiClient that integrates ALL OF IT into an enterprise grade management, control and mitigation console.

As such, the free version should be considered minimum and pair with appropriate adjunct solutions and if you can handle some XML, make appropriate tweaks to harden it up and improve detection.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top