How to enable and configure Malware Inspection in TMG
Web traffic may contain malware (such as worms, viruses, and spyware). Microsoft Forefront Threat Management Gateway (TMG) includes malware inspection for scanning, cleaning, and blocking harmful HTTP content and files. When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware.
Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the Firewall Client software.
The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header. If the body is compressed and the encoding scheme is not recognized, Forefront TMG cannot inspect the content. HTTP content compressed with gzip encoding can be decoded, inspected, and encoded in both directions.
In this post, I will explain how to enable malware inspection and also explain the user experience when this feature is enabled.
1. Enable Malware Inspection on the server
Malware Inspection requires a special “subscription license” (per user, per year). The first time you install TMG, you can enable Malware Inspection time-based trial for free. You can check if Malware Inspection is enabled and check the status by navigating to the “Update Center” option in TMG console. You can also check if the signature updates are getting installed.
2. Configure Malware Inspection
Merely having Malware Inspection filters will not protect your users unless it is turned on and configured. To configure Malware Inspection, open your Web Access Policy and click on Configure Malware Inspection on the Tasks pane.
Ensure that the Enable malware inspection checkbox has been enabled.
In the above dialog box, you can also configure exceptions, definition updates and licenses.
An important option that you can configure here is to choose between “standard trickling” and “fast trickling”. “Trickling” refers to the process in which the file is transferred to the user after/while being scanned for threats.
- Standard Trickling: TMG keeps most of the file, but sends small parts of it to the client to keep the connection alive.
- Fast tricking: TMG sends the file as fast as possible to the user, holding back the last part till the whole file is scanned. The user “perceives” better performance, although the TMG server needs more resources in this method.
You can also choose “Progress Notification” method for some file types so that TMG presents a scanning progress notification message in the browser before letting the user download the file. This is done by clicking “Content Types for Progress Notification”.
Notice in my example, the PDF file type is configured for Progress Notification.
3. Enable Malware Inspection on your rules
You also need to enable malware inspection in the applicable Web Access policy rules and Firewall policy rules. To enable Malware Inspection on an “allow” rule, right click on the rule and choose properties
Ensure “Inspect content downloaded from Web servers to clients” and “Force full content requests” is checked.
You can have more control on the malware inspection by enabling to “use rule specific settings for malware inspection”. Then click on the Rule Settings button.
Click OK all the way out and save your configuration. It might take a while till your configuration is synchronized. (This can be verified at Monitoring > Configuration)
Once the rule is applied, try downloading a file on a Web proxy client. TMG presents a scanning status message on the browser.
Once the scanning is complete, the user is allowed to download the file.
If the file contained a virus, the user is shown a warning message and access to the file is blocked.
Malware Inspection is a brand new feature in TMG and I’m sure you will find this feature very exciting. Feel free to post your comments below.