Anyone using Forticlient as an AV solution for user desktops?

oikjn

Ars Scholae Palatinae
969
Subscriptor++
As the subject states, is anyone using this solution? We have a bunch of other Fortinet products and it seems elegant enough as a single pane of glass solution within our corporate firewall, but I can't say I'm totally comfortable going 100% with one provider. We have been using Eset for probably two decades and haven't had an issue. Their prices are reasonable and so I'd likely stick with that, but figured I would double-check in case there are people that really like the Forticlient product too.
 

molo

Ars Legatus Legionis
14,786
For corporate AV, the only product you should even bother looking at is Crowdstrike. It's *so* much better than everything else, that it makes you wonder what the other AV vendors are doing. I mean, it's a revelation. And pretty cheap, too, honestly.

Forticlient is a pretty crappy AV product. Forticlient is a pretty crappy *VPN* client. I mean, it works, but we're in the process of moving to Azure Always On VPN for our Windows clients. The "always on" part is huge, and we're already paying for Microsoft licenses for everybody. I like Fortigates. I like the FortiAnalyzer. I don't really care for much of anything else that Fortinet offers.
 

Incarnate

Ars Tribunus Angusticlavius
8,806
For corporate AV, the only product you should even bother looking at is Crowdstrike. It's *so* much better than everything else, that it makes you wonder what the other AV vendors are doing. I mean, it's a revelation. And pretty cheap, too, honestly.
One other option would be Microsoft Defender for Endpoint. Not just the "free" Windows Defender included in Windows, but the full blown product. That and CrowdStrike are both way above anything else.
 

oikjn

Ars Scholae Palatinae
969
Subscriptor++
We are small potatoes. Maybe enterprise pricing at massive endpoints is more aggressive, but I see Falcon Pro listed as $9/endpoint/month. Given Eset is <$1/endpoint/month and we have had great results with it, I'll probably stick to that.

I really wasn't sure about the forticlient option but figured I'd ask in case some people liked it. The unified nature of it with the firewall and switches we have is nice in theory, but I'm a bit nervous about using just Fortinet for all layers of defense. The vast majority of our endpoints are on-site and not remote users.
 

DrWebster

Ars Praefectus
3,770
Subscriptor++
For corporate AV, the only product you should even bother looking at is Crowdstrike. It's *so* much better than everything else, that it makes you wonder what the other AV vendors are doing. I mean, it's a revelation. And pretty cheap, too, honestly.

Curious, what does Crowdstrike do that Cortex XDR doesn't?
 

oikjn

Ars Scholae Palatinae
969
Subscriptor++
For corporate AV, the only product you should even bother looking at is Crowdstrike. It's *so* much better than everything else, that it makes you wonder what the other AV vendors are doing. I mean, it's a revelation. And pretty cheap, too, honestly.
One other option would be Microsoft Defender for Endpoint. Not just the "free" Windows Defender included in Windows, but the full blown product. That and CrowdStrike are both way above anything else.


I can't seem to find pricing on that other than "Microsoft Defender for Endpoint P1 Trial" which is free... I found "defender for business" which is $3/license/month. I assume that is the comparable. I'll look at that a bit more closely, That is 1/3 the cost of CrowdStrike, but still 3x more than Eset, but I'll look to see if it maybe has 3x the value.
 

Superduck

Ars Tribunus Militum
2,158
Value is tougher to quantify in security products, when the cost of any significant compromise is often higher than many organization's annual security spend. I look at the type of events that could occur, the likelihood of them happening, their impact to the organization and then what we can do to mitigate them. Using this as a bit of a matrix, I use it to create a risk register and use that to drive our targets for security improvement. The other key feature of a risk register is it ensures the business knows about the risks and accepts them, as they should not be an IT risk, but a business risk. If you come forward with 3 or 4 high or critical risk in the environment, and they choose not to do anything about it, then that becomes a risk that the business is assuming, and it then doesn't get dumped on IT for failing to secure the environment. Every organization has to strike the balance in what they will accept for risk versus what they want to spend on security and risk mitigations.


I have been a Crowdstrike user in the past, and am currently using Defender, but Crowdstrike is on my next budget request. In my experience, its behavior based detection is second to none, and the Spotlight vulnerability management works really well for letting you know about vulnerabilities and their impact across your enterprise. Also very lightweight agent.
 

Incarnate

Ars Tribunus Angusticlavius
8,806
The vast majority of our endpoints are on-site and not remote users.
I don't think that matters necessarily. Do your users use email and the Internet? :)

The cost/benefit comes down to your business and the impact of malware or ransomware on the business. We used ESET for many years on our servers and it worked fine. Signature only based AV no longer fit our current security landscape. I'm not familiar with the current ESET products and features. Does ESET kill processes if Word tries to launch PowerShell for example? If you're looking to protect against ransomware and advanced persistent threats (ATP), CrowdStrike and Defender for Endpoint appear to be rated much more highly than any other products today. They do require more administrative overhead as well, as you will need to review anomalies and strange things in the environment, and not just an alert on a known AV signature.
 

komatsu

Ars Scholae Palatinae
1,068
The vast majority of our endpoints are on-site and not remote users.
I don't think that matters necessarily. Do your users use email and the Internet? :)

The cost/benefit comes down to your business and the impact of malware or ransomware on the business. We used ESET for many years on our servers and it worked fine. Signature only based AV no longer fit our current security landscape. I'm not familiar with the current ESET products and features. Does ESET kill processes if Word tries to launch PowerShell for example? If you're looking to protect against ransomware and advanced persistent threats (ATP), CrowdStrike and Defender for Endpoint appear to be rated much more highly than any other products today. They do require more administrative overhead as well, as you will need to review anomalies and strange things in the environment, and not just an alert on a known AV signature.


Very interesting paper here:

https://www.mdpi.com/2624-800X/1/3/21
 

oikjn

Ars Scholae Palatinae
969
Subscriptor++
The vast majority of our endpoints are on-site and not remote users.
I don't think that matters necessarily. Do your users use email and the Internet? :)

The cost/benefit comes down to your business and the impact of malware or ransomware on the business. We used ESET for many years on our servers and it worked fine. Signature only based AV no longer fit our current security landscape. I'm not familiar with the current ESET products and features. Does ESET kill processes if Word tries to launch PowerShell for example? If you're looking to protect against ransomware and advanced persistent threats (ATP), CrowdStrike and Defender for Endpoint appear to be rated much more highly than any other products today. They do require more administrative overhead as well, as you will need to review anomalies and strange things in the environment, and not just an alert on a known AV signature.


Very interesting paper here:

https://www.mdpi.com/2624-800X/1/3/21


so basically, they all suck? :eng101:

Summary from Table on page 27:
Table 1. Aggregated results of the attacks for each EDR. Notation: ✓: Successful attack, •: Successful
attack, raised minor alert, ?: Successful attack, alert was raised ◦:Unsuccessful attack, no alert raised,
✗: failed attack, alerts were raised.

EDR CPL HTA EXE DLL
Carbon Black • ✗ ✓ ✓
CrowdStrike Falcon ✓ ✓ • ✓
ESET PROTECT Enterprise ✗ ✗ ✓ ✓
F-Secure Elements Endpoint Detection and Response ✓ ✓ ✓ ✓
Kaspersky Endpoint Detection and Response ✗ ✗ ✗ ✓
McAfee Endpoint Protection ✗ ✗ ✓ ✓
Sentinel One ✓ ✓ ✓ ✗
Sophos Intercept X with EDR ✗ ✗ ✓ -
Symantec Endpoint Protection ✓ ✗ ✓ ✓
Trend micro Apex One ✓ ◦ ✓ ✓
Windows Defender for Endpoints ? ✗ ✗ ✓
 

komatsu

Ars Scholae Palatinae
1,068
>>>so basically, they all suck?

Yes.

When we pull away all the fancy talk. All the friendly salespeople who want to reach out to you. All the fancy offices. All the evangelists. All the white papers.

Page 27 in this report is where it's all at and should be a stark reminder that there are solutions out there that are not solutions at all. All they do is offer a false sense of security.

The Emperor really has no clothes...
 

oikjn

Ars Scholae Palatinae
969
Subscriptor++
neither are particularly great. Was using a local VM to run the "EMS" server and that install and setup was generally fine, but quickly ran into a major management issue... You can set and tweak policies through the EMS server which are supposed to get pushed down to the client... I started with v 7.0.6 and found that apparently that function was broken, so clients had to disconnect and reconnect manually in order to sync any policy changes. The EMS would report if a computer was out of sync, but wouldn't correct it with out manual intervention. In an established environment I would imagine these policies don't change often, but for my initial setup and testing I was doing lots of changes as I tried things out and found other issues with the setups.

On the client side, there was a significant performance impact on file access and network speeds with the client on vs. off with or without the use of the sandbox function. When AV did trigger on a false positive (which has been my only real experiences with AV events since the install), it quarantines the file and there is no apparent way for the user or local admin to take a manual action to override the flag and I'm forced to add global manual exemptions for those files to be pushed out via a policy update.

On the plus side, I like the global software inventory it provides including vulnerability checks for everything (like finding old putty installs or non-removed dll files from past software updates that included known vulnerabilities) and the integration with the firewall for user identification is nice, but redundant since we have FSSO running on the domain anyway. I'll say its doing its job since we haven't had a virus infection that I'm aware of :unsure:
 
  • Like
Reactions: Paladin

Paladin

Ars Legatus Legionis
32,552
Subscriptor
Hehe, it's the ones you're not aware of that are the real problem...

But yeah, it sounds like 'pick your poison'. If you have to use an EDR security platform/app solution, they all have issues and weaknesses. I don't think I have yet found anyone saying there is one that is really great all around unless it is a sales person who will sign you up for the one they seem to like so much. ;)
 

oikjn

Ars Scholae Palatinae
969
Subscriptor++
Yea... not seeing problems is definitely not the same as not having problems. Being the direct target of an APT actor is definitely the stuff of nightmares.

We were only really using Eset's Nod32 AV before we moved to FortiClient and excluding the whole "what I"m not aware of"... at least from the client perspective, it did just work seamlessly in the background where the client wouldn't notice if it was there or not.... Not so much with the FortiClient.

I might end up full circle back with Eset as I didn't really have a problem with them other than their product offerings got convoluted and more expensive if you wanted to go past just Nod32 AV. I have until October on our license and I'm currently thinking I'll try the MS Defender for Endpoint route first since we are an MS shop and we do have other M365 products, but MS makes it convoluted as well... I think I need "Defender for Business" as a license which I think would give me the same functionality since I don't have any plans that include Defender for Endpoint in them as-is 😱