simmerskool

Level 7
v1.00169 means signatures of vulnerability scanner

I firstly though that meant web filter signatures, but there is no web filter signatures to be updated at all

It means Web filter runs on cloud level, and is updated itself
ok. I understand now. Last time FC did a vuln scan I think it said it had about 5600 sigs and on this Windows 7 took about 17 min and did not find any.
Thanks!! :):emoji_ok_hand:
 

Windows_Security

Level 22
Content Creator
Trusted
Verified
One must keep in mind, FortiClient is largely configured out of the box to cause the least problems in enterprise environments with the FGT and FSB doing the heavy lifting. If you want to test it stand alone I would advise some basic changes.

<heuristic_scanning>
<level>0</level>

I'd put that at 2 or 3. Since it defaults to off.

<use_extreme_db>0</use_extreme_db>

Defaults to 0, by default it uses the normal database for the most relevant threats. Extended for slightly aged threats, and extreme for all of the databases combined and Zoo threats. One should toggle this to 1 rather than 0.

<use_sandbox_signatures>0</use_sandbox_signatures>

Defaults to 0 which is off. When toggled to 1 it will pull down the newest, most relevant emerging threats from the global FSB databases which are the combined horsepower of all deployed FortiSandboxes and the signatures those are generating.

The reason these are all essentially off out of the box is because they could theoretically offer false positives and other issues in an complex enterprise environment so it's up to the administrator to decide, then test, and adjust if necessary. I'd strongly encourage these to be enabled for a better picture of overall detection levels. Once the settings to the CONF are made, one should reboot the system afterward.
two questions:
1.Do these tweaked settings also work for free version? (when fortinet launched the free version their website stated that it did not use extended signatures).
2. What file/registry to change?
 

imuade

Level 8
Verified
two questions:

1.Do these tweaked settings also work for free version? (when fortinet launched the free version their website stated that it did not use extended signatures).

2. What file/registry to change?
Yes, it works for the free version too.
You first have to backup your setting from the "Settings" tab, this will save a .conf file.
Then, open the .conf file (for example with WordPad), search for the entry you wanna modify and change the value.
Once done, save the .conf file and restore it from the "Settings" tab.

Here the suggested changes:
<heuristic_scanning>

<level>0</level>

Change 0 with 2 or 3



<use_extreme_db>0</use_extreme_db>

Change 0 with 1



<use_sandbox_signatures>0</use_sandbox_signatures>

Change 0 with 1



<antirootkit>0</antirootkit>

Change 0 with 4294947295



<popup_registry_alerts>0</popup_registry_alerts>

Change 0 with 1



Here you can see the details of tuning the .conf (XML) file https://docs.fortinet.com/d/forticlient-6.0.0-xml-reference
 

Windows_Security

Level 22
Content Creator
Trusted
Verified
Yes, it works for the free version too.
You first have to backup your setting from the "Settings" tab, this will save a .conf file.
Then, open the .conf file (for example with WordPad), search for the entry you wanna modify and change the value.
Once done, save the .conf file and restore it from the "Settings" tab.

Here the suggested changes:
Thanks, changed them with visual studio code (with indents and search is easier to edit :) )

Last question: which processes to allow in Windows Firewall?
 
  • Like
Reactions: oldschool and given

imuade

Level 8
Verified

Windows_Security

Level 22
Content Creator
Trusted
Verified
FortiClient runs light, using the XML reference guide it is easy to make configuration changes.
- enable rootkit protection
- enable exploit protection
- enable expired signatures warning
- enable scan on (USB) insertion
- on demand scan:
a) enabled extreme db signatures
b) enabled adware & riskware
c) set heuristics to 4 (plus warn)
- realtime protection:
a) scan executables on write only
b) removed zip from exclusions
c) enabled registry startup protection
d) enabled extreme db signatures
e) enabled sandbox signatures
f) enabled adware & riskware
g) set heuristics to 3 (plus warn)
- email protection
a) enabled outlook
b) enabled worm detection
c) set heuristics to 3
d) enabled mime scanning

I am pleasantly surprised on its tweakability. Because FortiClient is designed to be a companion AV for FortiGuard/Fortigate, it also runs well with my default deny/policy based setup. I did a quick test with latest VX-vault and Malc0de sample and both samples were quarantined, while downloading from Firefox. So tweaks seem to work.

Thanks for the tips and suggestions @imuade

1536131044004.png
 
Last edited:

imuade

Level 8
Verified
does this filter https/ssl/tls (web filter)? any worthy xml config for the web filter module?
yes, it filters any website, not only inside the browser, but system-wide.
The only xml option is <https_block_method>0</https_block_method>.
1 means FortiClient will show a bubble notification when Web Filtering blocks an HTTPS site
0 means HTTPS website will be silently blocked
 

Slyguy

Level 40
I know about that option but that's only one part of data collection.
What other parts are you referring to? None, because there are none. Logs are done locally, but you can also disable ALL logging. Analytics are the telemetry, which can be fully disabled with the checkbox. Feel free to wireshark it's activity after you disable both of these and let me know. Or I will save you the time and tell you that absolutely no logs, data or analytics are outbound from it after those are checked off.

Also, 6.0.2 Build 0128 is out as of 8PM PST Sept 10.

Optimizations for resource use and speed in it as well as bug fixes.
 

AtlBo

Level 26
Content Creator
Verified
Anyone else have trouble seeing the notification window information? Can't see everything in the window when it opens, but the window won't fullscreen. There is a slider bar at the bottom, but moving it all the way to the right makes it possible to see only part of the sources column:

FortiClient Notification Window.png


This is for a URL block. No idea why outlook.live is not rated btw. Mail page isn't being blocked...
 

Slyguy

Level 40
Malwarebyte's says a lot of things, and most of what it says are wrong. Especially since it uses TLD blocking and MiTM techniques which probably shouldn't used.

Since I am sitting behind a million dollars worth of IT security right now and I can hit it fine. I think what MBAM says is pretty pointless in the modern age. Maybe if version 1.75 said things I would pay attention.
 

Windows_Security

Level 22
Content Creator
Trusted
Verified
Malwarebyte's says a lot of things, and most of what it says are wrong. Especially since it uses TLD blocking and MiTM techniques which probably shouldn't used.

Since I am sitting behind a million dollars worth of IT security right now and I can hit it fine. I think what MBAM says is pretty pointless in the modern age. Maybe if version 1.75 said things I would pay attention.
:) probably sounds a bit unsure when sitting behind a million dollars worth of IT-security. Rest assure, it is not you nor the Forticlient executable it is most likely openload.co triggering the warning.

openload.co said:
Openload is online earning website where you can upload any file and make a it shareable link and earn money from adds and traffic.
1536868058775.png
 
Last edited: