FortiClient 6.0.0 (Windows)

[simmerskool]

v1.00169 means signatures of vulnerability scanner

I firstly though that meant web filter signatures, but there is no web filter signatures to be updated at all

It means Web filter runs on cloud level, and is updated itself

ok. I understand now. Last time FC did a vuln scan I think it said it had about 5600 sigs and on this win7 took about 17 min and did not find any.
Thanks!! :emoji_ok_hand:

 

[Windows_Security]

One must keep in mind, FortiClient is largely configured out of the box to cause the least problems in enterprise environments with the FGT and FSB doing the heavy lifting. If you want to test it stand alone I would advise some basic changes.

<heuristic_scanning>
<level>0</level>

I'd put that at 2 or 3. Since it defaults to off.

<use_extreme_db>0</use_extreme_db>

Defaults to 0, by default it uses the normal database for the most relevant threats. Extended for slightly aged threats, and extreme for all of the databases combined and Zoo threats. One should toggle this to 1 rather than 0.

<use_sandbox_signatures>0</use_sandbox_signatures>

Defaults to 0 which is off. When toggled to 1 it will pull down the newest, most relevant emerging threats from the global FSB databases which are the combined horsepower of all deployed FortiSandboxes and the signatures those are generating.

The reason these are all essentially off out of the box is because they could theoretically offer false positives and other issues in an complex enterprise environment so it's up to the administrator to decide, then test, and adjust if necessary. I'd strongly encourage these to be enabled for a better picture of overall detection levels. Once the settings to the CONF are made, one should reboot the system afterward.

two questions:
1.Do these tweaked settings also work for free version? (when fortinet launched the free version their website stated that it did not use extended signatures).
2. What file/registry to change?

 

[imuade]

two questions:

1.Do these tweaked settings also work for free version? (when fortinet launched the free version their website stated that it did not use extended signatures).

2. What file/registry to change?

Yes, it works for the free version too.
You first have to backup your setting from the "Settings" tab, this will save a .conf file.
Then, open the .conf file (for example with WordPad), search for the entry you wanna modify and change the value.
Once done, save the .conf file and restore it from the "Settings" tab.

Here the suggested changes:

<heuristic_scanning>

<level>0</level>

Change 0 with 2 or 3



<use_extreme_db>0</use_extreme_db>

Change 0 with 1



<use_sandbox_signatures>0</use_sandbox_signatures>

Change 0 with 1



<antirootkit>0</antirootkit>

Change 0 with 4294947295



<popup_registry_alerts>0</popup_registry_alerts>

Change 0 with 1



Here you can see the details of tuning the .conf (XML) file https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference

 

[Sunshine-boy]

Good av but bad privacy policy:
Fortinet Privacy Policy

 

[imuade]

Good av but bad privacy policy:
Fortinet Privacy Policy

I don't think so, you can completely turn off telemetry and other privacy-concerned stuffs

 

[Windows_Security]

Yes, it works for the free version too.
You first have to backup your setting from the "Settings" tab, this will save a .conf file.
Then, open the .conf file (for example with WordPad), search for the entry you wanna modify and change the value.
Once done, save the .conf file and restore it from the "Settings" tab.

Here the suggested changes:

Thanks, changed them with visual studio code (with indents and search is easier to edit )

Last question: which processes to allow in Windows Firewall?

 

[imuade]

Thanks, changed them with visual studio code (with indents and search is easier to edit )

Last question: which processes to allow in Windows Firewall?

Well, FortiClient uses a lot of processes, so you have to set several outgoing rules. You can check here:
FortiClient (Windows) processes
Required services and ports

Plus, it automatically makes some inbound rules as well.

 

[Windows_Security]

FortiClient runs light, using the XML reference guide it is easy to make configuration changes.
- enable rootkit protection
- enable exploit protection
- enable expired signatures warning
- enable scan on (USB) insertion
- on demand scan:
a) enabled extreme db signatures
b) enabled adware & riskware
c) set heuristics to 4 (plus warn)
- realtime protection:
a) scan executables on write only
b) removed zip from exclusions
c) enabled registry startup protection
d) enabled extreme db signatures
e) enabled sandbox signatures
f) enabled adware & riskware
g) set heuristics to 3 (plus warn)
- email protection
a) enabled outlook
b) enabled worm detection
c) set heuristics to 3
d) enabled mime scanning

I am pleasantly surprised on its tweakability. Because FortiClient is designed to be a companion AV for FortiGuard/Fortigate, it also runs well with my default deny/policy based setup. I did a quick test with latest VX-vault and Malc0de sample and both samples were quarantined, while downloading from Firefox. So tweaks seem to work.

Thanks for the tips and suggestions @imuade

 

[Sunshine-boy]

you can

I know about that option but that's only one part of data collection.

 

[tsunami]

does this filter https/ssl/tls (web filter)? any worthy xml config for the web filter module?

 

[imuade]

does this filter https/ssl/tls (web filter)? any worthy xml config for the web filter module?

yes, it filters any website, not only inside the browser, but system-wide.
The only xml option is <https_block_method>0</https_block_method>.
1 means FortiClient will show a bubble notification when Web Filtering blocks an HTTPS site
0 means HTTPS website will be silently blocked

 

[LDogg]

Still looks like a very solid product. Even bundled with Anti Exploit.

~LDogg

 

[ForgottenSeer 58943]

I know about that option but that's only one part of data collection.

What other parts are you referring to? None, because there are none. Logs are done locally, but you can also disable ALL logging. Analytics are the telemetry, which can be fully disabled with the checkbox. Feel free to wireshark it's activity after you disable both of these and let me know. Or I will save you the time and tell you that absolutely no logs, data or analytics are outbound from it after those are checked off.

Also, 6.0.2 Build 0128 is out as of 8PM PST Sept 10.

Optimizations for resource use and speed in it as well as bug fixes.

 

[tsunami]

does the app autoupdate or do we need to dl new version from the website and install?

 

[ForgottenSeer 69673]

When I go to their website version 1.0.1037 is installed for Windows 10.

 

[ForgottenSeer 58943]

When I go to their website version 1.0.1037 is installed for Windows 10.

It might take a couple days to populate the main web page. I put the direct 64-Bit installer for 6.0.2 Build 0128 on a file share site. This isn't the online installer, so it's even better.

FortiClientSetup_6.0.2.0128_x64.exe | openload

 

[AtlBo]

Anyone else have trouble seeing the notification window information? Can't see everything in the window when it opens, but the window won't fullscreen. There is a slider bar at the bottom, but moving it all the way to the right makes it possible to see only part of the sources column:

This is for a URL block. No idea why outlook.live is not rated btw. Mail page isn't being blocked...

 

[ForgottenSeer 69673]

It might take a couple days to populate the main web page. I put the direct 64-Bit installer for 6.0.2 Build 0128 on a file share site. This isn't the online installer, so it's even better.

FortiClientSetup_6.0.2.0128_x64.exe | openload

Malwarebytes says no.

 

[ForgottenSeer 58943]

Malwarebyte's says a lot of things, and most of what it says are wrong. Especially since it uses TLD blocking and MiTM techniques which probably shouldn't used.

Since I am sitting behind a million dollars worth of IT security right now and I can hit it fine. I think what MBAM says is pretty pointless in the modern age. Maybe if version 1.75 said things I would pay attention.

 

[Windows_Security]

Malwarebyte's says a lot of things, and most of what it says are wrong. Especially since it uses TLD blocking and MiTM techniques which probably shouldn't used.

Since I am sitting behind a million dollars worth of IT security right now and I can hit it fine. I think what MBAM says is pretty pointless in the modern age. Maybe if version 1.75 said things I would pay attention.

probably sounds a bit unsure when sitting behind a million dollars worth of IT-security. Rest assure, it is not you nor the Forticlient executable it is most likely openload.co triggering the warning.

Openload is online earning website where you can upload any file and make a it shareable link and earn money from adds and traffic.