Hello, we are implementing DLP agents to Windows workstations in our company and as per initial configuration we need to exclude some processes, DLP directories and registry paths. We did this as per instructions from DLP provider. It's done per EMS and when we are checking for processes available per DLP directories we can still see fmon.exe and fcappdb.exe scanning the files. The DLP is reporting health issues on regular basis and definitely something is wrong. I believe it's also impacting the performance of the endpoint as users are reporting that machines became laggy. DLP support is also pointing out that we need to get rid of AV scanning effectively. So my question is why exclusions we did are not effective? It's really straightforward, we just put C:\Program Files\DLP_Software_Name, C:\ProgramData\DLP_Software_Name and this should solve the case, however you can see that AV process is still scanning files inside the directories
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello wallaceee,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Any luck?
Hello,
Verifying in lab, possible to confirm EMS, FortiClient versions, if any case was opened and logs available to be analyzed?
Regards,
FortiClient ver 7.0.9.0493, ESM v.7.0.8 build 0484. Case opened here but not much inside: 8589988
We are observing for last two days how endpoints behave without the Forti AV protection on and so far there are no errors from DLP agents. This may indicates that AV from Forti is influencing the DLP processes. What log can we provide?
Is there maybe a dependent/child process that is resulting in the throttling from real time protection?
I would use process monitor to capture and walk exclusions back from everything working under the process you’re monitoring the network activity out of.
FortiClient Debug logs configured before running scan and collected afterwards maybe useful, this reference can be followed FCT side:
https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-generate-and-export-Debug-logs-fr...
Also to note that fcappdb.exe process can also be associated with App Firewall activity, reference:
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/209271
fcappdb.exe |
FortiClient Application Database Service |
Network Access Control (NAC) and Antivirus |
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.