Video Review FortiClient- An issue to be resolved

Discussion in 'Video Reviews' started by cruelsister, Dec 16, 2017.

  1. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    #21 Slyguy, Dec 18, 2017
    Last edited: Dec 18, 2017
    This is incorrect. As of 5.6.1 the free version now includes Anti-Botnet, Dynamic Threat Detection and Anti-Exploit module. Observe this screenshot, showing a non-Fortigate linked free Forticlient with those modules available as checkboxes. For some reason your test had all of these disabled, I will check the default installer script, this is an oversight if they default to disabled. But you can easily enable them. (and everyone should)

    [​IMG]

    Also, I would like to provide you with a customized INI file to run your tests on. There are quite a number of advanced features I can enable in the INI. You'd just have to click a button to load my INI into your test client. With all of the modules properly enabled, and a test INI I have, I think the results might be surprising.
     
  2. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    Some INI changes I recommend - very safe, well tested changes. FortiClient by default 'assumes' it's being installed on the lowest common denominator PC, a dual core with 2GB of Ram and sets itself with such an assumption. With that in mind, you can test the following below, compare it with your own conf.

    <use_extreme_db>1</use_extreme_db>
    --this setting enables zoo signatures. The entire Fortinet virus/trojan/rootkit/ransomware database. Old, Not so old and brand new.

    <heuristic_scanning>
    <level>1</level>
    --this setting enables heuristics for the realtime engine. It defaults to OFF. (0) Consider the following; 0-Off, 1-Low, 2-Medium, 3-High.. Depending on PC horsepower you can increase it as you desire, false positives become more possible as you increase the number but detection is 'significantly' improved in the process.

    Here's the relevant snippets from the INI. Once again, these settings are completely safe to tweak. I would avoid tweaking the threading, GPU use and other settings as you could potentially cause issues without knowing their full purpose and parameters.

    <real_time_protection>
    <enabled>1</enabled>
    <use_extreme_db>1</use_extreme_db>
    <when>0</when>
    <ignore_system_when>2</ignore_system_when>
    <on_virus_found>5</on_virus_found>
    <popup_alerts>1</popup_alerts>
    <popup_registry_alerts>0</popup_registry_alerts>
    <bypass_java>0</bypass_java>
    <cloud_based_detection>
    <on_virus_found>4</on_virus_found>
    </cloud_based_detection>
    <sandboxing>
    <use_sandbox_signatures>1</use_sandbox_signatures>
    </sandboxing>
    <compressed_files>
    <scan>1</scan>
    <maxsize>10</maxsize>
    </compressed_files>
    <riskware>
    <enabled>1</enabled>
    </riskware>
    <adware>
    <enabled>1</enabled>
    </adware>
    <heuristic_scanning>
    <level>1</level>
    <action>3</action>
    </heuristic_scanning>
    <scan_file_types>
    <all_files>0</all_files>
    <file_types>
    <extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>
    <include_files_with_no_extension>0</include_files_with_no_extension>
    </file_types>
    </scan_file_types>
    <exclusions>
    <file />
    <folder />
    <file_types>
    <extensions>.zip,.gzip,.msc,.rar,.tar,.tgz,.lzh,.CAB,.BZIP2,.7Z,.BZIP,.ARJ</extensions>
    </file_types>
    </exclusions>
    </real_time_protection>
     
  3. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    2,195
    23,460
    Tax Officer
    Germany
    Windows 10
    Norton
    Sorry for hijacking the thread.

    @Slyguy
    As Fortinet Engineer, you maybe can help me:

    With the option to "Block all known communication channels used by attackers", my F-Secure FreeDome VPN cannot connect.
    Is there a workaround?
    I already tried to whitelist the complete F-Secure folder, but that did not help.
    Also whitelisted Freedome.exe and openvpn.exe.
    Unbenannt.PNG Unbenannt2.PNG
     
  4. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    Have you configured any custom ports on Freedome?

    Generally, IPSEC uses 500 for SAKMP (IKE Auth) and 4500 for ESP UDP Encap, so those shouldn't be blocked on FortiClient because Forticlient itself uses those for it's own VPN back to a Fortigate. Unless there is a non-standard or trojan'sque port Freedome is using? The anti-bot is pretty aggressive in it's blocking of common botnet ports/protocols so anything off of the standard would be vehemently blocked.

    I will take a look when I get some time today. In the meantime try this workaround - re-install Forticlient but this time install the VPN aspect of it. That will by default, unblock common IPSEC/SSL VPN ports in the anti-botnet during the installation process because it auto-adds exclusions for those ports so the FortiClient VPN will work, in the process of that it should also unblock those ports for other VPN's. Then you can go into your network adapter section and disable the FortiClient virtual adapter. If that works let me know and I will report the bug. If it doesn't work, allow me a day to look into it.

    There is an assumption that in a corporate/smb/enterprise environment you won't want your users installing VPN's and bypassing the local network security and validations. A logical assumption in a business deployment which is what this is actually designed for.

    Also, there is a known bug (sort of bug for home users) with the web filtration on FortiClient where it can 'sometimes' block printers on your network using WSD to connect as opposed to static IP address assignments to printers. This wouldn't impact enterprise/corporation/smb users because they use print servers, shared printers and static assigned printers. So the workaround for that known issue (in home use) is to static your printers.
     
  5. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    2,195
    23,460
    Tax Officer
    Germany
    Windows 10
    Norton
    #25 Der.Reisende, Dec 21, 2017
    Last edited: Dec 21, 2017
    Not possible, the VPN client is made as easy as possible. It's just install and forget.
    VPN_settings.PNG

    Thank you, don't hurry :)
    Reinstall done, did install everything offered.
    Virtual network adapters for FortiClient have been deactivated.
    VPN.PNG
    F-Secure VPN does connect once FortiClient is closed (via right-click on it's tray icon and "Shut down FortiClient).
    Before, it is stuck trying to connect.
    You can see the 2 ports F-Secure is using in above screenshot.

    Another question:
    The sandbox feature cannot be used as "home user" having downloaded the client only, right?
    As soon as I tick "Enable FortiSandbox Detection & Analysis", the "OK" button gets greyed out.
    Sandbox.PNG
    I've ticked the option to install the sandbox component in the installer.
     
    silversurfer likes this.
  6. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    #26 Slyguy, Dec 21, 2017
    Last edited: Dec 21, 2017
    FortiSandbox enabled will do nothing unless you have a FortiSandbox Appliance (virtualized or otherwise) on your local network. The box below the checkbox is where you input the local IP address of the FortiSandbox Appliance (eg. 192.168.1.2 or whatever). So checking the box won't do anything for you. Unfortunately the Sandbox is reserved for those that have licensed the sandbox or purchased the sandbox hardware. This is unfortunate as it is incredibly powerful, but its a limitation of the client requiring an on-prem device(or virtual) appliance to function.
     
    Andy Ful likes this.
  7. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    It is unfortunate you can't change Freedome to not use the scratch ports it is using. Is there an INI or CFG file you can change to do this? This is why I like VPN's that allow you to alter these things, it also makes them more flexible and you can use them in constrained environments (such as by using Port 53 on the VPN, or TCP over 443 to mask it).

    I've sent a report in to TAC about this, but it's possible it won't be considered a bug because in an commercial/corporate environment nobody would be expected to be using Freedome. (which uses scratch ports) I'll do what I can.
     
    Der.Reisende likes this.
  8. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    2,195
    23,460
    Tax Officer
    Germany
    Windows 10
    Norton
    Thank you for the detailed info!
    It would indeed be great to use the sandbox, just read a bit on it!
    I can understand they do not give it away for free ;)

    I will dig into that!
    If not, I found a workaround:
    The option to monitor and block malicious traffic can be turned on once the VPN is active, without hindering the VPN to work.

    Thank you very much for bringing up the „issue“ to the developers or whoever is in charge!
    I don’t mind if they don’t see it as a bug!
    Just a curious user getting in touch with a endpoint solution these days ;)
     
    Andy Ful, silversurfer and harlan4096 like this.
Loading...
Similar Threads Forum Date
FortiClient compatibility with the Microsoft Security update of January 3, 2018 - Meltdown Other Security for Windows Jan 4, 2018
Update FortiClient (Windows) 5.6.2 Other Security for Windows Dec 11, 2017
Does FortiClient Av contain a BB? Other Security for Windows Aug 17, 2017