Video FortiClient- An issue to be resolved

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,640
OS
Other OS
#21
Sly- The advanced features are part of the Endpoint product, with the Advanced Threat protection working through FortiSandbox.

So the free FortiClient product is indeed just a traditional AV product.
This is incorrect. As of 5.6.1 the free version now includes Anti-Botnet, Dynamic Threat Detection and Anti-Exploit module. Observe this screenshot, showing a non-Fortigate linked free Forticlient with those modules available as checkboxes. For some reason your test had all of these disabled, I will check the default installer script, this is an oversight if they default to disabled. But you can easily enable them. (and everyone should)



Also, I would like to provide you with a customized INI file to run your tests on. There are quite a number of advanced features I can enable in the INI. You'd just have to click a button to load my INI into your test client. With all of the modules properly enabled, and a test INI I have, I think the results might be surprising.
 
Last edited:

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,640
OS
Other OS
#22
Some INI changes I recommend - very safe, well tested changes. FortiClient by default 'assumes' it's being installed on the lowest common denominator PC, a dual core with 2GB of Ram and sets itself with such an assumption. With that in mind, you can test the following below, compare it with your own conf.

<use_extreme_db>1</use_extreme_db>
--this setting enables zoo signatures. The entire Fortinet virus/trojan/rootkit/ransomware database. Old, Not so old and brand new.

<heuristic_scanning>
<level>1</level>
--this setting enables heuristics for the realtime engine. It defaults to OFF. (0) Consider the following; 0-Off, 1-Low, 2-Medium, 3-High.. Depending on PC horsepower you can increase it as you desire, false positives become more possible as you increase the number but detection is 'significantly' improved in the process.

Here's the relevant snippets from the INI. Once again, these settings are completely safe to tweak. I would avoid tweaking the threading, GPU use and other settings as you could potentially cause issues without knowing their full purpose and parameters.

<real_time_protection>
<enabled>1</enabled>
<use_extreme_db>1</use_extreme_db>
<when>0</when>
<ignore_system_when>2</ignore_system_when>
<on_virus_found>5</on_virus_found>
<popup_alerts>1</popup_alerts>
<popup_registry_alerts>0</popup_registry_alerts>
<bypass_java>0</bypass_java>
<cloud_based_detection>
<on_virus_found>4</on_virus_found>
</cloud_based_detection>
<sandboxing>
<use_sandbox_signatures>1</use_sandbox_signatures>
</sandboxing>
<compressed_files>
<scan>1</scan>
<maxsize>10</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>
<level>1</level>
<action>3</action>
</heuristic_scanning>
<scan_file_types>
<all_files>0</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<file />
<folder />
<file_types>
<extensions>.zip,.gzip,.msc,.rar,.tar,.tgz,.lzh,.CAB,.BZIP2,.7Z,.BZIP,.ARJ</extensions>
</file_types>
</exclusions>
</real_time_protection>
 

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,512
OS
Windows 10
Antivirus
Tencent
#23
Sorry for hijacking the thread.

@Slyguy
As Fortinet Engineer, you maybe can help me:

With the option to "Block all known communication channels used by attackers", my F-Secure FreeDome VPN cannot connect.
Is there a workaround?
I already tried to whitelist the complete F-Secure folder, but that did not help.
Also whitelisted Freedome.exe and openvpn.exe.
Unbenannt.PNG Unbenannt2.PNG
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,640
OS
Other OS
#24
Sorry for hijacking the thread.

@Slyguy
As Fortinet Engineer, you maybe can help me:

With the option to "Block all known communication channels used by attackers", my F-Secure FreeDome VPN cannot connect.
Is there a workaround?
I already tried to whitelist the complete F-Secure folder, but that did not help.
Also whitelisted Freedome.exe and openvpn.exe.
View attachment 176548 View attachment 176549
Have you configured any custom ports on Freedome?

Generally, IPSEC uses 500 for SAKMP (IKE Auth) and 4500 for ESP UDP Encap, so those shouldn't be blocked on FortiClient because Forticlient itself uses those for it's own VPN back to a Fortigate. Unless there is a non-standard or trojan'sque port Freedome is using? The anti-bot is pretty aggressive in it's blocking of common botnet ports/protocols so anything off of the standard would be vehemently blocked.

I will take a look when I get some time today. In the meantime try this workaround - re-install Forticlient but this time install the VPN aspect of it. That will by default, unblock common IPSEC/SSL VPN ports in the anti-botnet during the installation process because it auto-adds exclusions for those ports so the FortiClient VPN will work, in the process of that it should also unblock those ports for other VPN's. Then you can go into your network adapter section and disable the FortiClient virtual adapter. If that works let me know and I will report the bug. If it doesn't work, allow me a day to look into it.

There is an assumption that in a corporate/smb/enterprise environment you won't want your users installing VPN's and bypassing the local network security and validations. A logical assumption in a business deployment which is what this is actually designed for.

Also, there is a known bug (sort of bug for home users) with the web filtration on FortiClient where it can 'sometimes' block printers on your network using WSD to connect as opposed to static IP address assignments to printers. This wouldn't impact enterprise/corporation/smb users because they use print servers, shared printers and static assigned printers. So the workaround for that known issue (in home use) is to static your printers.
 

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,512
OS
Windows 10
Antivirus
Tencent
#25
Have you configured any custom ports on Freedome?
Not possible, the VPN client is made as easy as possible. It's just install and forget.
VPN_settings.PNG

I will take a look when I get some time today. In the meantime try this workaround - re-install Forticlient but this time install the VPN aspect of it. That will by default, unblock common IPSEC/SSL VPN ports in the anti-botnet during the installation process because it auto-adds exclusions for those ports so the FortiClient VPN will work, in the process of that it should also unblock those ports for other VPN's. Then you can go into your network adapter section and disable the FortiClient virtual adapter. If that works let me know and I will report the bug. If it doesn't work, allow me a day to look into it.
Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
VPN.PNG
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
Sandbox.PNG
I've ticked the option to install the sandbox component in the installer.
 
Last edited:

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,640
OS
Other OS
#26
Not possible, the VPN client is made as easy as possible. It's just install and forget.
View attachment 176553


Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
View attachment 176554
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
View attachment 176555
I've ticked the option to install the sandbox component in the installer.
FortiSandbox enabled will do nothing unless you have a FortiSandbox Appliance (virtualized or otherwise) on your local network. The box below the checkbox is where you input the local IP address of the FortiSandbox Appliance (eg. 192.168.1.2 or whatever). So checking the box won't do anything for you. Unfortunately the Sandbox is reserved for those that have licensed the sandbox or purchased the sandbox hardware. This is unfortunate as it is incredibly powerful, but its a limitation of the client requiring an on-prem device(or virtual) appliance to function.
 
Last edited:
Likes: Andy Ful

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,640
OS
Other OS
#27
Not possible, the VPN client is made as easy as possible. It's just install and forget.
View attachment 176553


Thank you, don't hurry :)
Reinstall done, did install everything offered.
Virtual network adapters for FortiClient have been deactivated.
View attachment 176554
F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
Before, it is stuck trying to connect.
You can see the 2 ports F-Secure is using in above screenshot.

Another question:
The sandbox feature cannot be used as "home user" having downloaded the client only, right?
As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
View attachment 176555
I've ticked the option to install the sandbox component in the installer.
It is unfortunate you can't change Freedome to not use the scratch ports it is using. Is there an INI or CFG file you can change to do this? This is why I like VPN's that allow you to alter these things, it also makes them more flexible and you can use them in constrained environments (such as by using Port 53 on the VPN, or TCP over 443 to mask it).

I've sent a report in to TAC about this, but it's possible it won't be considered a bug because in an commercial/corporate environment nobody would be expected to be using Freedome. (which uses scratch ports) I'll do what I can.
 
Likes: Der.Reisende

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,512
OS
Windows 10
Antivirus
Tencent
#28
FortiSandbox enabled will do nothing unless you have a FortiSandbox Appliance (virtualized or otherwise) on your local network. The box below the checkbox is where you input the local IP address of the FortiSandbox Appliance (eg. 192.168.1.2 or whatever). So checking the box won't do anything for you. Unfortunately the Sandbox is reserved for those that have licensed the sandbox or purchased the sandbox hardware. This is unfortunate as it is incredibly powerful, but its a limitation of the client requiring an on-prem device(or virtual) appliance to function.
Thank you for the detailed info!
It would indeed be great to use the sandbox, just read a bit on it!
I can understand they do not give it away for free ;)

It is unfortunate you can't change Freedome to not use the scratch ports it is using. Is there an INI or CFG file you can change to do this? This is why I like VPN's that allow you to alter these things, it also makes them more flexible and you can use them in constrained environments (such as by using Port 53 on the VPN, or TCP over 443 to mask it).

I've sent a report in to TAC about this, but it's possible it won't be considered a bug because in an commercial/corporate environment nobody would be expected to be using Freedome. (which uses scratch ports) I'll do what I can.
I will dig into that!
If not, I found a workaround:
The option to monitor and block malicious traffic can be turned on once the VPN is active, without hindering the VPN to work.

Thank you very much for bringing up the „issue“ to the developers or whoever is in charge!
I don’t mind if they don’t see it as a bug!
Just a curious user getting in touch with a endpoint solution these days ;)