Skip to main content
wallaceee
wallaceee
New Member
July 28, 2023
Question

AntiVirus protection exclusions not effective

  • July 28, 2023
  • 7 replies
  • 3307 views

Hello, we are implementing DLP agents to Windows workstations in our company and as per initial configuration we need to exclude some processes, DLP directories and registry paths. We did this as per instructions from DLP provider. It's done per EMS and when we are checking for processes available per DLP directories we can still see fmon.exe and fcappdb.exe scanning the files. The DLP is reporting health issues on regular basis and definitely something is wrong. I believe it's also impacting the performance of the endpoint as users are reporting that machines became laggy. DLP support is also pointing out that we need to get rid of AV scanning effectively. So my question is why exclusions we did are not effective? It's really straightforward, we just put C:\Program Files\DLP_Software_Name, C:\ProgramData\DLP_Software_Name and this should solve the case, however you can see that AV process is still scanning files inside the directories 

 

procmon.jpg

7 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
July 31, 2023

Hello wallaceee, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
August 2, 2023

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
wallaceee
wallaceeeAuthor
New Member
August 2, 2023

Any luck?

dfernandes
Staff
dfernandes
Staff
August 3, 2023

Hello,

 

Verifying in lab, possible to confirm EMS, FortiClient versions, if any case was opened and logs available to be analyzed?

 

Regards,

wallaceee
wallaceeeAuthor
New Member
August 3, 2023

FortiClient ver 7.0.9.0493, ESM v.7.0.8 build 0484. Case opened here but not much inside: 8589988

We are observing for last two days how endpoints behave without the Forti AV protection on and so far there are no errors from DLP agents. This may indicates that AV from Forti is influencing the DLP processes. What log can we provide? 

narutokaya
narutokaya
New Member
August 3, 2023

Is there maybe a dependent/child process that is resulting in the throttling from real time protection?

I would use process monitor to capture and walk exclusions back from everything working under the process you’re monitoring the network activity out of.

dfernandes
Staff
dfernandes
Staff
August 3, 2023

FortiClient Debug logs configured before running scan and collected afterwards maybe useful, this reference can be followed FCT side:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-generate-and-export-Debug-logs-from-various/ta-p/265965

 

Also to note that fcappdb.exe process can also be associated with App Firewall activity, reference:
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/209271

fcappdb.exe

FortiClient Application Database Service

Network Access Control (NAC) and Antivirus

 

Terms & ConditionsAccessibility statement