FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
nshetty
Staff
Staff
Article Id 341082
Description

This article describes configuring FortiClient to detect, mitigate, and recover from Akira Ransomware.

Scope
  • Configuration of FortiClient Endpoint Management Server (EMS)
  • How endpoints will observe the detection
  • Recovery of files
  • Logs to check
Solution

On FortiClient Endpoint Management Server (EMS), Enable Anti-Ransomware under Endpoint Profiles >Malware Protection profile and also allow the “Enable File Backup” option.

 

1.png

 

More information on the FortiClient Endpoint Management Server (EMS) > Malware Protection feature can be found in the EMS Administration Guide.

 

Anti-Ransomware on Endpoints

 

FortiClient on endpoints will then receive the configuration. Once a suspicious ransomware activity is detected, FortiClient will show a pop-up window notification just like the one below.

 

2.png

 

FortiClient allows the user to terminate the suspicious ransomware process and the user gets to see the below notification FortiClient tray, after process termination.

 

3.png

 

FortiClient GUI will show the total number of quarantined files and their details under the malware protection section as shown below.

 

4.png

 

FortiClient quarantines all the files affected by the Akira ransomware attack and terminates the ransomware. Clicking the number link will show the quarantined files.

 

5.png

 

FortiClient then recovers the affected files back to their original state, List of 'Recovered files' can be seen from FortiClient GUI as shown below.

 

6.png

 

Below, the recovered files can be seen in the file browser,

 

7.png

 

FortiClient log for Ransomware Event:

 

To get logs from FortiClient, go to FortiClient GUI -> Settings -> Export logs.

 

8.png

 

5/6/2024 5:44:06 PM     warning                antiransomware               date=2024-05-06 time=17:44:05 logver=1 id=98000 type=securityevent subtype=antiransomware eventtype=status level=warning uid=9638815F17974A38A1A9165059C658BF devid=FCT8001244636066 hostname=AV-TEST-WIN10X6 pcdomain=N/A deviceip=192.168.1.25 devicemac=02-00-45-99-04-45 site=default fctver=7.2.5.0993 fgtserial=N/A emsserial=FCTEMS8824090428 os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=Admin msg="AntiRansomware has found a suspicious process" file=C:\Users\Admin\Desktop\1650201791.exe action=kill default_used=1 checksum=131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 PID=1736

 

How FortiClient Endpoint Management Server (EMS) Can See Detection:

 

When FortiClient detects the ransomware file and quarantines it, the event will be sent to EMS to which the FortiClient is registered. The event can be seen on the EMS endpoints summary page as shown below.

 

10.png