Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wallaceee
New Contributor II

AntiVirus protection exclusions not effective

Hello, we are implementing DLP agents to Windows workstations in our company and as per initial configuration we need to exclude some processes, DLP directories and registry paths. We did this as per instructions from DLP provider. It's done per EMS and when we are checking for processes available per DLP directories we can still see fmon.exe and fcappdb.exe scanning the files. The DLP is reporting health issues on regular basis and definitely something is wrong. I believe it's also impacting the performance of the endpoint as users are reporting that machines became laggy. DLP support is also pointing out that we need to get rid of AV scanning effectively. So my question is why exclusions we did are not effective? It's really straightforward, we just put C:\Program Files\DLP_Software_Name, C:\ProgramData\DLP_Software_Name and this should solve the case, however you can see that AV process is still scanning files inside the directories 

 

procmon.jpg

7 REPLIES 7
Jean-Philippe_P
Moderator
Moderator

Hello wallaceee, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Moderator
Moderator

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
wallaceee
New Contributor II

Any luck?

dfernandes
Staff
Staff

Hello,

 

Verifying in lab, possible to confirm EMS, FortiClient versions, if any case was opened and logs available to be analyzed?

 

Regards,

wallaceee
New Contributor II

FortiClient ver 7.0.9.0493, ESM v.7.0.8 build 0484. Case opened here but not much inside: 8589988

We are observing for last two days how endpoints behave without the Forti AV protection on and so far there are no errors from DLP agents. This may indicates that AV from Forti is influencing the DLP processes. What log can we provide? 

narutokaya
New Contributor

Is there maybe a dependent/child process that is resulting in the throttling from real time protection?

I would use process monitor to capture and walk exclusions back from everything working under the process you’re monitoring the network activity out of.

https://showbox.bio https://tutuapp.uno/
dfernandes
Staff
Staff

FortiClient Debug logs configured before running scan and collected afterwards maybe useful, this reference can be followed FCT side:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-generate-and-export-Debug-logs-fr...

 

Also to note that fcappdb.exe process can also be associated with App Firewall activity, reference:
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/209271

fcappdb.exe

FortiClient Application Database Service

Network Access Control (NAC) and Antivirus

 

Top Kudoed Authors