App Review FortiClient- An issue to be resolved

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
F

ForgottenSeer 58943

Sly- The advanced features are part of the Endpoint product, with the Advanced Threat protection working through FortiSandbox.

So the free FortiClient product is indeed just a traditional AV product.

This is incorrect. As of 5.6.1 the free version now includes Anti-Botnet, Dynamic Threat Detection and Anti-Exploit module. Observe this screenshot, showing a non-Fortigate linked free Forticlient with those modules available as checkboxes. For some reason your test had all of these disabled, I will check the default installer script, this is an oversight if they default to disabled. But you can easily enable them. (and everyone should)

fortc.png


Also, I would like to provide you with a customized INI file to run your tests on. There are quite a number of advanced features I can enable in the INI. You'd just have to click a button to load my INI into your test client. With all of the modules properly enabled, and a test INI I have, I think the results might be surprising.
 
Last edited by a moderator:
F

ForgottenSeer 58943

Some INI changes I recommend - very safe, well tested changes. FortiClient by default 'assumes' it's being installed on the lowest common denominator PC, a dual core with 2GB of Ram and sets itself with such an assumption. With that in mind, you can test the following below, compare it with your own conf.

<use_extreme_db>1</use_extreme_db>
--this setting enables zoo signatures. The entire Fortinet virus/trojan/rootkit/ransomware database. Old, Not so old and brand new.

<heuristic_scanning>
<level>1</level>
--this setting enables heuristics for the realtime engine. It defaults to OFF. (0) Consider the following; 0-Off, 1-Low, 2-Medium, 3-High.. Depending on PC horsepower you can increase it as you desire, false positives become more possible as you increase the number but detection is 'significantly' improved in the process.

Here's the relevant snippets from the INI. Once again, these settings are completely safe to tweak. I would avoid tweaking the threading, GPU use and other settings as you could potentially cause issues without knowing their full purpose and parameters.

<real_time_protection>
<enabled>1</enabled>
<use_extreme_db>1</use_extreme_db>
<when>0</when>
<ignore_system_when>2</ignore_system_when>
<on_virus_found>5</on_virus_found>
<popup_alerts>1</popup_alerts>
<popup_registry_alerts>0</popup_registry_alerts>
<bypass_java>0</bypass_java>
<cloud_based_detection>
<on_virus_found>4</on_virus_found>
</cloud_based_detection>
<sandboxing>
<use_sandbox_signatures>1</use_sandbox_signatures>
</sandboxing>
<compressed_files>
<scan>1</scan>
<maxsize>10</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>
<level>1</level>
<action>3</action>
</heuristic_scanning>
<scan_file_types>
<all_files>0</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<file />
<folder />
<file_types>
<extensions>.zip,.gzip,.msc,.rar,.tar,.tgz,.lzh,.CAB,.BZIP2,.7Z,.BZIP,.ARJ</extensions>
</file_types>
</exclusions>
</real_time_protection>
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Sorry for hijacking the thread.

@ForgottenSeer 58943
As Fortinet Engineer, you maybe can help me:

With the option to "Block all known communication channels used by attackers", my F-Secure FreeDome VPN cannot connect.
Is there a workaround?
I already tried to whitelist the complete F-Secure folder, but that did not help.
Also whitelisted Freedome.exe and openvpn.exe.
Unbenannt.PNG Unbenannt2.PNG
 
F

ForgottenSeer 58943

Sorry for hijacking the thread.

@ForgottenSeer 58943
As Fortinet Engineer, you maybe can help me:

With the option to "Block all known communication channels used by attackers", my F-Secure FreeDome VPN cannot connect.
Is there a workaround?
I already tried to whitelist the complete F-Secure folder, but that did not help.
Also whitelisted Freedome.exe and openvpn.exe.
View attachment 176548 View attachment 176549

Have you configured any custom ports on Freedome?

Generally, IPSEC uses 500 for SAKMP (IKE Auth) and 4500 for ESP UDP Encap, so those shouldn't be blocked on FortiClient because Forticlient itself uses those for it's own VPN back to a Fortigate. Unless there is a non-standard or trojan'sque port Freedome is using? The anti-bot is pretty aggressive in it's blocking of common botnet ports/protocols so anything off of the standard would be vehemently blocked.

I will take a look when I get some time today. In the meantime try this workaround - re-install Forticlient but this time install the VPN aspect of it. That will by default, unblock common IPSEC/SSL VPN ports in the anti-botnet during the installation process because it auto-adds exclusions for those ports so the FortiClient VPN will work, in the process of that it should also unblock those ports for other VPN's. Then you can go into your network adapter section and disable the FortiClient virtual adapter. If that works let me know and I will report the bug. If it doesn't work, allow me a day to look into it.

There is an assumption that in a corporate/smb/enterprise environment you won't want your users installing VPN's and bypassing the local network security and validations. A logical assumption in a business deployment which is what this is actually designed for.

Also, there is a known bug (sort of bug for home users) with the web filtration on FortiClient where it can 'sometimes' block printers on your network using WSD to connect as opposed to static IP address assignments to printers. This wouldn't impact enterprise/corporation/smb users because they use print servers, shared printers and static assigned printers. So the workaround for that known issue (in home use) is to static your printers.
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Have you configured any custom ports on Freedome?
Not possible, the VPN client is made as easy as possible. It's just install and forget.
VPN_settings.PNG

I will take a look when I get some time today. In the meantime try this workaround - re-install Forticlient but this time install the VPN aspect of it. That will by default, unblock common IPSEC/SSL VPN ports in the anti-botnet during the installation process because it auto-adds exclusions for those ports so the FortiClient VPN will work, in the process of that it should also unblock those ports for other VPN's. Then you can go into your network adapter section and disable the FortiClient virtual adapter. If that works let me know and I will report the bug. If it doesn't work, allow me a day to look into it.
Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
VPN.PNG
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
Sandbox.PNG
I've ticked the option to install the sandbox component in the installer.
 
Last edited:
F

ForgottenSeer 58943

Not possible, the VPN client is made as easy as possible. It's just install and forget.
View attachment 176553


Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
View attachment 176554
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
View attachment 176555
I've ticked the option to install the sandbox component in the installer.

FortiSandbox enabled will do nothing unless you have a FortiSandbox Appliance (virtualized or otherwise) on your local network. The box below the checkbox is where you input the local IP address of the FortiSandbox Appliance (eg. 192.168.1.2 or whatever). So checking the box won't do anything for you. Unfortunately the Sandbox is reserved for those that have licensed the sandbox or purchased the sandbox hardware. This is unfortunate as it is incredibly powerful, but its a limitation of the client requiring an on-prem device(or virtual) appliance to function.
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful
F

ForgottenSeer 58943

Not possible, the VPN client is made as easy as possible. It's just install and forget.
View attachment 176553


Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
View attachment 176554
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
View attachment 176555
I've ticked the option to install the sandbox component in the installer.

It is unfortunate you can't change Freedome to not use the scratch ports it is using. Is there an INI or CFG file you can change to do this? This is why I like VPN's that allow you to alter these things, it also makes them more flexible and you can use them in constrained environments (such as by using Port 53 on the VPN, or TCP over 443 to mask it).

I've sent a report in to TAC about this, but it's possible it won't be considered a bug because in an commercial/corporate environment nobody would be expected to be using Freedome. (which uses scratch ports) I'll do what I can.
 
  • Like
Reactions: Der.Reisende

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
FortiSandbox enabled will do nothing unless you have a FortiSandbox Appliance (virtualized or otherwise) on your local network. The box below the checkbox is where you input the local IP address of the FortiSandbox Appliance (eg. 192.168.1.2 or whatever). So checking the box won't do anything for you. Unfortunately the Sandbox is reserved for those that have licensed the sandbox or purchased the sandbox hardware. This is unfortunate as it is incredibly powerful, but its a limitation of the client requiring an on-prem device(or virtual) appliance to function.
Thank you for the detailed info!
It would indeed be great to use the sandbox, just read a bit on it!
I can understand they do not give it away for free ;)

It is unfortunate you can't change Freedome to not use the scratch ports it is using. Is there an INI or CFG file you can change to do this? This is why I like VPN's that allow you to alter these things, it also makes them more flexible and you can use them in constrained environments (such as by using Port 53 on the VPN, or TCP over 443 to mask it).

I've sent a report in to TAC about this, but it's possible it won't be considered a bug because in an commercial/corporate environment nobody would be expected to be using Freedome. (which uses scratch ports) I'll do what I can.
I will dig into that!
If not, I found a workaround:
The option to monitor and block malicious traffic can be turned on once the VPN is active, without hindering the VPN to work.

Thank you very much for bringing up the „issue“ to the developers or whoever is in charge!
I don’t mind if they don’t see it as a bug!
Just a curious user getting in touch with a endpoint solution these days ;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top