View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004356 | Windows and other desktop OS | Desktop | public | 2021-06-09 09:59 | 2021-10-19 12:59 |
Reporter | DigitalMy | ||||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | assigned | Resolution | open | ||
Summary | 0004356: Disable FortiClient spyware | ||||
Description | Zero Trust - name of this telemetry FA_Scheduler FortiClient Service Scheduler scheduler.exe works as "protected" service FCT_SecSvr Forticlient Endpoint Protected Process Service FctSecSvr.exe | ||||
Tags | No tags attached. | ||||
FinishDate | |||||
StartDate | |||||
WasteTime | 0 | ||||
PriorityIndex | 1 | ||||
LaboriousnessIndex | 1 | ||||
|
First of all, block network connections from FortiClient spy components like FCDBLog.exe (FortiClient Logging daemon) using firewall this app makes a lot of logs *.evt and sends them to server Termination protected: Access is denied taskkill /F /im scheduler.exe ERROR: The process "scheduler.exe" with PID 2372 could not be terminated. Reason: Access is denied. wmic process where name='scheduler.exe' delete Deleting instance \\PC\ROOT\CIMV2:Win32_Process.Handle="12136" ERROR: Description = Access denied Tried to stop in "Process Explorer". On the process properties view, select the security tab. Press the permissions button. Press the advanced button. If necessary, add yourself or a group you belong to. Edit your permissions to include "Terminate". This not helped. Tried to stop in "Process Hacker". Success. But it restarts itself https://docs.fortinet.com/document/forticlient/6.0.2/administration-guide/209271/forticlient-windows-processes https://docs.fortinet.com/document/forticlient/7.0.0/administration-guide/209271/forticlient-windows-processes |
|
FortiClient\FortiTcs.exe (FortiClient ZTNA Service) is listening local port 56784 Zero Trust Network Access Telemetry must be disabled https://docs.fortinet.com/document/forticlient/7.0.0/administration-guide/577341/telemetry-data They also have Free VPN-only standalone FortiClient , which should be good for use. |
|
FortiClient\FortiTray.exe restarted by scheduler |
|
Service cannot change settings until do the following: Changed rights for files in FortiClient folder, including change owner of folder. Renamed protected .exe files (list below) and killed unwanted processes - now they fail to start and it is fine 0FCDBLog.exe 0fcappdb.exe 0update_task.exe 0FCVbltScan.exe 0FortiScand.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FA_Scheduler first got error saving value in registry , but after killed processes and renamed files it can be done Start=4 (disabled) some apps are to be renamed after set up VPN servers and got license 0scheduler.exe 0FortiESNAC.exe 0FortiTcs.exe 0FortiSettings.exe FortiSettings.exe - enable for saving server configuration |
|
For startup of FortiClient VPN manually run batch file as administrator with the following commands: start C:\FortiClient\FortiSSLVPNdaemon.exe -s 0 start C:\FortiClient\FortiTray.exe -s 0 start C:\FortiClient\FortiClient.exe -s 0 For stop of FortiClient VPN manually run batch file as administrator with the following commands: taskkill /f /im "FortiSSLVPNdaemon.exe" /t taskkill /f /im "FortiTray.exe" /t taskkill /f /im "FortiClient.exe" /t |
|
Delete reg path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FA_Scheduler sc stop FA_Scheduler sc delete FA_Scheduler sc stop FCT_SecSvr sc delete FCT_SecSvr |
|
For deletion, run .exe installer from command line with -uninstall key |
|
expert installer with updater run as "C:\WINDOWS\System32\msiexec.exe" /i "C:\AV\FortiClient.msi" |
|
In version 7 FortiClient.exe will not start without FortiElevate.exe FortiClient.exe is used to change settings... |
|
There are several drivers running, Use Process Hacker to stop them. They do protect files and folders from changes. system32\drivers\FortiTransCtrl.sys system32\drivers\FortiShield.sys system32\drivers\fortips.sys \SystemRoot\system32\DRIVERS\FortiFilter.sys |
|
FortiESNAC.exe is used to sync telemetry it connects to 62.109.49.241 |