Troubleshooting Tip: Vulnerability scan runs randomly despite the configured scheduled scan
| Description | This article describes a situation where the FortiClient/EMS vulnerability scan runs daily and randomly, even though the scheduled scan is set to run once a month. The article explains the possible causes of this issue and provides a step-by-step guide to resolving it. |
| Scope | FortiClient, FortiClient EMS, Vulnerability Scan. |
| Solution | There are daily and random Vulnerability Scans after upgrading the FortiClient EMS to version 7.4.5 GA, and they are not related to the pre-configured options as described in the article Troubleshooting Tip: Vulnerability scan runs daily despite the FortiClient EMS Schedule on the Fortinet Community website.
Up until FortiClient EMS version 7.4.4 GA, Vulnerability scanning could be triggered under four different cases:
In the FortiClient XML configuration file, the aforementioned options are the following:
Starting from FortiClient EMS v7.4.5GA, there is a new feature called 'Trigger Vulnerability Scan', which can be configured under EMS GUI -> Endpoint Profiles -> System Settings -> Send Software Inventory. This feature is enabled by default.
With this feature, the FortiClient EMS is trying to detect if there is a new software installation based on the software inventory sent by the FortiClient. In case there is a change to the existing FortiClient's Software Inventory, the FortiClient EMS will force a new Vulnerability Scan to be run on the client. There is no FortiClient endpoint XML tag for this new feature since it is an EMS-controlled and EMS-triggered capability.
As a result, the Scheduled Vulnerability scanning will not be respected.
The new feature can be disabled, as it is a toggle option, in case it is not mandatory to run Vulnerability Scanning each time the Software inventory of the FortiClient has been changed.
Related document: |
