Malware Inspection in Threat Management Gateway 2010

by Shijaz Abdulla on 31.05.2010 at 22:58

How to enable and configure Malware Inspection in TMG

Web traffic may contain malware (such as worms, viruses, and spyware). Microsoft Forefront Threat Management Gateway (TMG) includes malware inspection for scanning, cleaning, and blocking harmful HTTP content and files. When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware.

Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the Firewall Client software.

The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header. If the body is compressed and the encoding scheme is not recognized, Forefront TMG cannot inspect the content. HTTP content compressed with gzip encoding can be decoded, inspected, and encoded in both directions.

In this post, I will explain how to enable malware inspection and also explain the user experience when this feature is enabled.


1. Enable Malware Inspection on the server

Malware Inspection requires a special “subscription license” (per user, per year). The first time you install TMG, you can enable Malware Inspection time-based trial for free. You can check if Malware Inspection is enabled and check the status by navigating to the “Update Center” option in TMG console. You can also check if the signature updates are getting installed.



2. Configure Malware Inspection

Merely having Malware Inspection filters will not protect your users unless it is turned on and configured. To configure Malware Inspection, open your Web Access Policy and click on Configure Malware Inspection on the Tasks pane.


Ensure that the Enable malware inspection checkbox has been enabled.


In the above dialog box, you can also configure exceptions, definition updates and licenses.

An important option that you can configure here is to choose between “standard trickling” and “fast trickling”. “Trickling” refers to the process in which the file is transferred to the user after/while being scanned for threats.


  • Standard Trickling: TMG keeps most of the file, but sends small parts of it to the client to keep the connection alive.
  • Fast tricking: TMG sends the file as fast as possible to the user, holding back the last part till the whole file is scanned. The user “perceives” better performance, although the TMG server needs more resources in this method.

You can also choose “Progress Notification” method for some file types so that TMG presents a scanning progress notification message in the browser before letting the user download the file. This is done by clicking “Content Types for Progress Notification”.


Notice in my example, the PDF file type is configured for Progress Notification.


3. Enable Malware Inspection on your rules

You also need to enable malware inspection in the applicable Web Access policy rules and Firewall policy rules. To enable Malware Inspection on an “allow” rule, right click on the rule and choose properties

Ensure “Inspect content downloaded from Web servers to clients” and “Force full content requests” is checked.


You can have more control on the malware inspection by enabling to “use rule specific settings for malware inspection”. Then click on the Rule Settings button.


Click OK all the way out and save your configuration. It might take a while till your configuration is synchronized. (This can be verified at Monitoring > Configuration)


Once the rule is applied, try downloading a file on a Web proxy client. TMG presents a scanning status message on the browser.


Once the scanning is complete, the user is allowed to download the file.


If the file contained a virus, the user is shown a warning message and access to the file is blocked.


Malware Inspection is a brand new feature in TMG and I’m sure you will find this feature very exciting. Feel free to post your comments below.

82.6% of PC threats in the UAE are Malware: Microsoft report

by Shijaz Abdulla on 10.05.2010 at 17:25

United_Arab_Emirates As per the latest report published by Microsoft, based on feedback from the Malicious Software Removal Tool (MSRT). The MSRT is usually executed as part of Windows Update and currently has a user base of 500+ million computers worldwide running Windows.

The UAE were one of the countries included in the report.

However, the number of computers infected with malware in the UAE is lower than the worldwide average with only 5.8 infected computers for every 1000 computers in the country.

According to the analysis, the UAE is ‘dominated’ by malware, which accounts for 82.6% of all threats detected on infected computers. The most common category of malware in the country was found to be worms (23%) which have the ability to spread via mapped drives with missing or weak passwords or by using USB flash drives.