Configuring malware inspection options
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
When you create a Web access rule and enable malware inspection on that rule, a default set of malware inspection options and thresholds is applied to that rule.
You can adjust these options and thresholds in two ways:
By modifying the global malware inspection settings—Settings are applied by default to each access rule on which malware inspection is enabled.
By modifying the settings for individual Web access rules—Per-rule settings override the global malware inspection settings. For details, see Creating an access rule.
For a description of malware inspection file types, see Planning to protect against malicious web content.
The following procedure describes how to configure the global malware inspection options.
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
On the Tasks tab, click Configure Malware Inspection.
Click the Inspection Settings tab, and specify whether the malware inspection engine should attempt to clean files and what type of content should be blocked. It is recommended that you keep the default settings. Note the following:
When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. When using trickling, Forefront TMG closes the TCP connection and records the reason in the log. When using progress notification, Forefront TMG issues an HTML page to notify the user that the file has been blocked.
Note: For more information about trickling and progress notification, see Configuring malware inspection content delivery.
The setting Block suspicious files is designed to block files that appear to be infected with unknown malware.
The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.
The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.
The setting Block archive files if unpacked content is larger than (MB) is designed to avoid decompressing small archive files to a large size when unpacked.
Note: To scan HTTPS traffic for malware, you must enable HTTPS inspection. For more information, see Configuring HTTPS inspection.
- When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. When using trickling, Forefront TMG closes the TCP connection and records the reason in the log. When using progress notification, Forefront TMG issues an HTML page to notify the user that the file has been blocked.