One of the main issues we are currently having is that the FortiClient has been running full system scans outside of the scan schedule. We set the scan schedules in a profile in EMS and verified that the workstations have the profile for the scan to run every Wednesday at 12:00PM. Our users are seeing the scan run at random times during the day on different days.
Might not be related, but we have enabled the Real-time Protection to “Scan files as they are downloaded or copied to my system.” Since this was a real-time protection option, I didn’t think it was related to the Schedule scan, but I am open to any feedback on using this option.
During some further digging around, I found in the EMS admin logs that a lot of our devices are being unregistered. I am not really sure why they would be unregistering and it seems that it has been happening for a month now. When I look at the endpoint in EMS they are all showing as registered. This could be related or not to the random daily full scans but I'm at a loss here.
EMS admin log Example:
2016-12-06 19:22:39,Notice,SourceEmsServer,'Workstation1' unregistered
2016-12-06 19:25:01,Notice,SourceEmsServer,'Workstation1' unregistered
,2016-12-06 19:37:51,Notice,SourceEmsServer,'Server1' unregistered
,2016-12-06 20:58:33,Notice,SourceEmsServer,' Server1' unregistered
,2016-12-06 20:59:39,Notice,SourceEmsServer,'Workstation2' unregistered
….
,2017-01-05 16:36:36,Notice,SourceEmsServer,'Workstation3' unregistered
,2017-01-05 16:38:35,Notice,SourceEmsServer,'Workstation4' unregistered
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do your users see the client and it's notifications? The client gives them the option to disconnect which could be part of the issue. End users are usually....paranoid that every little piece of security software is watching what they are doing....especially when it has web filtering etc.
Mike Pruett
Thanks for your interest, Mike! Not sure if it matters but we are on 5.4.2. I checked and the option to disconnect is turned off and it states that "Settings are Locked by EMS" (which is a good thing).
We are still seeing scans kick off for certain users throughout the week. Just reached out to a FortiNet System Engineer. Open to any more suggestions in the interim.
I worked with FortiNet support and thought it would be a good idea to follow up on this in case others see the same issue. Apparently this issue is known to FortiNet and they provided me with a "fixed" av_task.exe which seemed to have worked.
Great that they gave you a work around. Hopefully, the fix gets pushed out in the next release.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.