Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiClient EMS and Scheduled AV Scans

One of the main issues we are currently having is that the FortiClient has been running full system scans outside of the scan schedule. We set the scan schedules in a profile in EMS and verified that the workstations have the profile for the scan to run every Wednesday at 12:00PM. Our users are seeing the scan run at random times during the day on different days.


Might not be related, but we have enabled the Real-time Protection to “Scan files as they are downloaded or copied to my system.” Since this was a real-time protection option, I didn’t think it was related to the Schedule scan, but I am open to any feedback on using this option.


During some further digging around, I found in the EMS admin logs that a lot of our devices are being unregistered. I am not really sure why they would be unregistering and it seems that it has been happening for a month now. When I look at the endpoint in EMS they are all showing as registered. This could be related or not to the random daily full scans but I'm at a loss here.


EMS admin log Example:

2016-12-06 19:22:39,Notice,SourceEmsServer,'Workstation1' unregistered

2016-12-06 19:25:01,Notice,SourceEmsServer,'Workstation1' unregistered

,2016-12-06 19:37:51,Notice,SourceEmsServer,'Server1' unregistered

,2016-12-06 20:58:33,Notice,SourceEmsServer,' Server1' unregistered

,2016-12-06 20:59:39,Notice,SourceEmsServer,'Workstation2' unregistered


,2017-01-05 16:36:36,Notice,SourceEmsServer,'Workstation3' unregistered

,2017-01-05 16:38:35,Notice,SourceEmsServer,'Workstation4' unregistered

Valued Contributor

Do your users see the client and it's notifications? The client gives them the option to disconnect which could be part of the issue. End users are usually....paranoid that every little piece of security software is watching what they are doing....especially when it has web filtering etc.

Mike Pruett Fortinet GURU | Fortinet Training Videos

Thanks for your interest, Mike! Not sure if it matters but we are on 5.4.2. I checked and the option to disconnect is turned off and it states that "Settings are Locked by EMS" (which is a good thing). 


We are still seeing scans kick off for certain users throughout the week. Just reached out to a FortiNet System Engineer. Open to any more suggestions in the interim. 


I worked with FortiNet support and thought it would be a good idea to follow up on this in case others see the same issue. Apparently this issue is known to FortiNet and they provided me with a "fixed" av_task.exe which seemed to have worked. 

Valued Contributor

Great that they gave you a work around. Hopefully, the fix gets pushed out in the next release.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Top Kudoed Authors