Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wallaceee
New Contributor II

Created on ‎07-28-2023 03:39 AM

AntiVirus protection exclusions not effective

Hello, we are implementing DLP agents to Windows workstations in our company and as per initial configuration we need to exclude some processes, DLP directories and registry paths. We did this as per instructions from DLP provider. It's done per EMS and when we are checking for processes available per DLP directories we can still see fmon.exe and fcappdb.exe scanning the files. The DLP is reporting health issues on regular basis and definitely something is wrong. I believe it's also impacting the performance of the endpoint as users are reporting that machines became laggy. DLP support is also pointing out that we need to get rid of AV scanning effectively. So my question is why exclusions we did are not effective? It's really straightforward, we just put C:\Program Files\DLP_Software_Name, C:\ProgramData\DLP_Software_Name and this should solve the case, however you can see that AV process is still scanning files inside the directories 

 

procmon.jpg

Labels:
865
0 Kudos
7 REPLIES 7
Jean-Philippe_P
Moderator
Moderator

Created on ‎07-31-2023 01:25 AM

Hello wallaceee, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
818
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-01-2023 11:52 PM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
800
0 Kudos
wallaceee
New Contributor II

Created on ‎08-02-2023 02:38 AM

Any luck?

793
0 Kudos
dfernandes
Staff
Staff

Created on ‎08-03-2023 02:48 AM Edited on ‎08-03-2023 02:51 AM

Hello,

 

Verifying in lab, possible to confirm EMS, FortiClient versions, if any case was opened and logs available to be analyzed?

 

Regards,

762
0 Kudos
wallaceee
New Contributor II

Created on ‎08-03-2023 03:24 AM

FortiClient ver 7.0.9.0493, ESM v.7.0.8 build 0484. Case opened here but not much inside: 8589988

We are observing for last two days how endpoints behave without the Forti AV protection on and so far there are no errors from DLP agents. This may indicates that AV from Forti is influencing the DLP processes. What log can we provide? 

748
0 Kudos
narutokaya
New Contributor

Created on ‎08-03-2023 04:30 AM

Is there maybe a dependent/child process that is resulting in the throttling from real time protection?

I would use process monitor to capture and walk exclusions back from everything working under the process you’re monitoring the network activity out of.

https://showbox.bio https://tutuapp.uno/
https://showbox.bio https://tutuapp.uno/
743
0 Kudos
dfernandes
Staff
Staff

Created on ‎08-03-2023 05:47 AM

FortiClient Debug logs configured before running scan and collected afterwards maybe useful, this reference can be followed FCT side:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-generate-and-export-Debug-logs-fr...

 

Also to note that fcappdb.exe process can also be associated with App Firewall activity, reference:
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/209271

fcappdb.exe

FortiClient Application Database Service

Network Access Control (NAC) and Antivirus

 

735
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.