New Member

Solved

Forticlient Installer seen as 'Trojan:Win32/SuspServiceBin.A!cl' by Windows Defender

Forum|Forum|1 year ago
September 26, 2024
5 replies
4818 views

Hello all,

The past night Forticlient 7.0.1 update was pushed via EMS and now inside of Defender we are seeing multiple endpoints reporting that:

Defender detected and terminated active 'Trojan:Win32/SuspServiceBin.A!cl' in process 'FortiClientSetup_7.0.1_x64.exe'

It is also saying that:

FortiClientSetup_7.0.1_x64.exe - 'SuspServiceBin' malware was detected and was active

I know I can whitelist what I need to in defender, but I want to know if anyone else has come across this/seen this to get a better understanding as to why this would be.

FortiClient

Best answer by Umer221

Hello @joack007

One of the most common causes is a false positive, where antivirus software like Windows Defender mistakenly flags legitimate programs as malware. As long as FortiClient is downloaded from trusted sources, this could likely be the reason, as antivirus software sometimes overreacts to normal behavior in an executable file.

Another possibility is that FortiClient, might not yet be recognized by Microsoft's database of safe software or it depends on your custom settings for Windows Defender to strictly detect executable files based on their behavior, since FortiClient has features that could flag it as a Trojan or a malware. As a result, Windows Defender may flag FortiClient on the side of caution.

You can consider whitelisting the installer in Windows Defender, but only if you downloaded the file from a legitimate source as mentioned in the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-download-different-or-old-versions-of/ta-p/285874

Additionally, you can submit the file to Microsoft for review if you believe it is a false positive, allowing them to reclassify the software appropriately. You can submit the file at the following link:
https://www.microsoft.com/en-us/wdsi/filesubmission

Anthony_E

Staff

Hello joack,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello joack,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Best Regards

Anthony_E

Staff

Hi @Umer221 , @Marcos_Hernandez ,

As FortiClient expert, do you maybe have an idea?

Thanks a lot in advance.

Regards,

Best Regards

Umer221Answer

Staff

Hello @joack007

One of the most common causes is a false positive, where antivirus software like Windows Defender mistakenly flags legitimate programs as malware. As long as FortiClient is downloaded from trusted sources, this could likely be the reason, as antivirus software sometimes overreacts to normal behavior in an executable file.

Another possibility is that FortiClient, might not yet be recognized by Microsoft's database of safe software or it depends on your custom settings for Windows Defender to strictly detect executable files based on their behavior, since FortiClient has features that could flag it as a Trojan or a malware. As a result, Windows Defender may flag FortiClient on the side of caution.

You can consider whitelisting the installer in Windows Defender, but only if you downloaded the file from a legitimate source as mentioned in the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-download-different-or-old-versions-of/ta-p/285874

Additionally, you can submit the file to Microsoft for review if you believe it is a false positive, allowing them to reclassify the software appropriately. You can submit the file at the following link:
https://www.microsoft.com/en-us/wdsi/filesubmission

Anthony_E

Staff

Thanks a lot Umer!!

Best Regards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded