Slyguy

Level 41
Verified
I've verified, the current version of VS doesn't work properly with FortiClient UNLESS you (Exclude) various things in the FortiClient exploit protection.

For example if FortiClient exploit protection for Chrome is on along with Voodooshield (Default), then Chrome won't launch.
 

abdou17

Level 2
I've verified, the current version of VS doesn't work properly with FortiClient UNLESS you (Exclude) various things in the FortiClient exploit protection.

For example if FortiClient exploit protection for Chrome is on along with Voodooshield (Default), then Chrome won't launch.
same problem here, what did you exclude ??
 

Slyguy

Level 41
Verified
exclude chrome from forticlient or VS ???
Exclude Chrome from Forticlient Exploit Protection and VS stops complaining and chrome goes back to working. I suspect there is some overlap in protection from Forticlient anti-exploit to VS. Since it 'crashes' Chrome without any error logs, doing anything else would require more digging. I switched to OSArmor because VS became problematic recently, but I may switch back to VS once things stabilize.
 

ZeroDay

Level 28
Verified
Malware Tester
I'd rather use Voodooshield alone than Forti unless I had a Forti appliance.
 

Slyguy

Level 41
Verified
I'd rather use Voodooshield alone than Forti unless I had a Forti appliance.
Why? FortiClient is a full protection suite with or without a Fortigate Appliance. The appliance only adds a few specific features that likely won't be missed. You still get exploit protection, full antivirus, web filtration, advanced threat scanning, Anti-Botnet, Anti-CoinMiner, and now Fortisandbox APT threat signatures are loaded as of 5.6.5x series with or without a sandbox appliance. Also they've implemented a VT cloud validation system as an adjunct opinion (in CONF file under Cloud Scanner) What that means is the threat databases from the worldwide FortiSandbox indicators are added to a second level signature database to spot new and emerging threats.

Unfortunately I had to remove VS from my systems due to stability and false positive issues. Replaced with OSArmor in the short term which seems to work fine with FortiClient now.
 

Slyguy

Level 41
Verified
@Slyguy

I reported your issue over to Dan. But it looks like he wasn't able to reproduce it.
VoodooShield v4 STABLE Thread
Forticlient chrome extension? There is no such beast..

Let him know he didn't properly try to reproduce it because he failed to turn on exploit protection in Forticlient..

1) Install FortiClient.
2) Go to the AV tab, click the 'Gear' next to the virus scanner menu to the right.
3) Once in settings for the AV after client elevation, enable FortiClient Exploit Protection.
4) Hit OK twice. let the exploit engine start up (5 seconds).
5) Now try to load Chrome, it crashes immediately.

I assume he just installed FortiClient, left it default, didn't find any issue and moved on. But by default, Exploit Protection WILL NOT be enabled in FortiClient. I've reproduced this bug 20 times in the last two weeks on 20 different systems.
 

Azure

Level 23
Verified
Content Creator
Okay, I reported your post over there.

Btw, would it be possible for you to register here so you can report any issue you find with VoodooShield?
VoodooShield
 
  • Like
Reactions: BryanB

128BPM

Level 2
Why? FortiClient is a full protection suite with or without a Fortigate Appliance. The appliance only adds a few specific features that likely won't be missed. You still get exploit protection, full antivirus, web filtration, advanced threat scanning, Anti-Botnet, Anti-CoinMiner, and now Fortisandbox APT threat signatures are loaded as of 5.6.5x series with or without a sandbox appliance. Also they've implemented a VT cloud validation system as an adjunct opinion (in CONF file under Cloud Scanner) What that means is the threat databases from the worldwide FortiSandbox indicators are added to a second level signature database to spot new and emerging threats.

Unfortunately I had to remove VS from my systems due to stability and false positive issues. Replaced with OSArmor in the short term which seems to work fine with FortiClient now.
@Slyguy, Forticlient upload suspicious files to the cloud without asking?
 

Slyguy

Level 41
Verified
@Slyguy, Forticlient upload suspicious files to the cloud without asking?
Never. Also all logging and analytics can be fully disabled with a checkbox rendering the AV 100% private and silent other than updates it pulls. It's one of the most private AV's out there default, but IS the most private when you uncheck a couple of things. It's designed this way purposely, as it is used in facilities where egress of data simply must be kept to a minimum.

For example FortiClient is the only AV I will use on my internal servers at home because I'm guaranteed a totally silent, 100% private security product to avoid ex-filtration of data on servers with private information on them. I wouldn't trust any other AV on my servers for this reason.
 
Last edited:

Slyguy

Level 41
Verified
Disable these options affects the detection level in some way?

On the other hand, FortiClient have some heuristic engine?

Thanks.
It won't impact anything significantly, as the signatures are pulled down, including the FortiSandbox enhanced signatures for the APT if you have it checked. Everything off, it just downloads signatures every 2 hours or how you have it set in the CONF. Cloud-Based tech is coming soon, it's already in the CONF but defaults OFF, when it arrives officially, it will be a checkbox, once again, Fortinet works with some critical facilities where telemetry/analytics aren't permitted so it has to maintain this functionality.