How to DIsable FortiClient Real Time Protecetion with Registry Key???????

registry key shall be FA_FMON\enabled=0

We have the exact same situation. We want to disable the realtime protection for a short period of time (a software rollout).

Our FortiClients are centrally managed via our FortiGate. Sadly we are unable (even with the following command to change the reg key value.

[code lang=vb]psexec -s reg add "HKLM\SOFTWARE\Wow6432Node\Fortinet\FortiClient\FA_FMON" /v enabled /d 0 /f)

Is there a command line prompt the tell the FortiClient to disable the realtime protection?

Is there a command line prompt the tell the FortiClient to disable the realtime protection?

I have no FortiClient with me now that I can check.

However, if AV is running as a service? you can stop the service .

Net stop servicename
Net start servicename

You can do this through psexec

Sorry, but that is also not possible.

The "FortiClient Service Scheduler" (Service Name = FA_Scheduler) is as well "proteced" as the reg keys are.

I also can't kill the fmon process because a new fmon process spawns instantly.

Fortinet does a hell of a job to guard a running FortiClient to prevent disabling the whole client or at least some of its features.

Normaly I would say: Hey, thats good, because it shouldn't be disabled. But as we can see, there are reasons to temporarily disable some/all features.

How about a regular FortiClient config restore.

You create a partial config that disable real-time protection, then restore it in administrative command line. Try fcconfig --help for detail format.