Planning to protect against malicious web content
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Web traffic may contain malware such as worms, viruses, and spyware. Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans outbound Web traffic, and either cleans harmful HTTP content, or blocks it from entering the internal network.
Note
- Outbound inspection refers to HTTP requests that originate from clients on networks protected by Forefront TMG.
- When scanning archived content, if the scan determines the archive to be corrupted, the content bypasses scanning, and can be opened by archiving programs such as WinZip.
The following sections provide information to help you plan malware inspection in your organization:
Deployment considerations
Threat levels
Content delivery methods
Deployment considerations
When you plan to deploy malware inspection in your organization, consider the following:
Malware inspection is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy (https://go.microsoft.com/fwlink/?LinkId=179848).
To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or WSUS, and that automatic installation of the latest signatures is enabled. For more information, see Planning for updates of protection definitions.
Both the Forefront TMG server and the client computer perform type detection. If the server’s identification of a file’s content type differs from the client’s identification of the same file, the server cannot implement the protection mechanisms on that file for this client. To prevent this risk, ensure that the Forefront TMG server and the client computers are fully patched at all times, so that type detection is aligned between them.
By default, Forefront TMG temporarily accumulates and stores files for malware inspection in the %SystemRoot%\Temp folder. Note that when downloading a large number of files larger than 64KB, performance issues may arise. If you anticipate a large number of large downloads in your organization, it is recommended that you place the ScanStorage folder on a separate physical disk. For information, see Configuring the malware inspection storage location.
You might want to exclude selected Web sites from malware inspection for specific reasons:
Excluding sources—The main reason for excluding sources from malware inspection is to avoid scanning content more than once, which has a performance cost and is problematic in some scenarios. A typical scenario is when content is scanned for malware by a downstream proxy. In such a case, you should configure the upstream proxy to exclude from scanning all requests coming from the downstream proxy.
Excluding destinations—The main reasons for excluding destinations from malware inspection are, to improve performance by the exclusion of trusted sites, large files, or sites that take a long time to download, and to solve compatibility issues.
For information, see Defining exemptions to malware inspection.
Malware inspection can be disabled globally for troubleshooting purposes, or when using a third-party malware inspection mechanism. For example, you can disable malware inspection, in order to determine whether disabling malware inspection improves performance.
Threat levels
The following table lists the categories that can be assigned to the threats that are detected during malware inspection, and the action taken for each category when malware inspection is enabled. For configuration information, see Configuring malware inspection options.
| Threat category | Description | Action |
|---|---|---|
Low severity threat |
Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software. |
Configurable by the Forefront TMG administrator. Default: allow |
Medium severity threat |
Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings. |
Configurable by the Forefront TMG administrator. Default: allow |
High sensitivity threat |
Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent. |
Configurable by the Forefront TMG administrator. Default: block |
Infected files |
Traditionally, infected files refer to files that have been infected by a virus. Viruses insert or add their code to a file to enable the virus to spread. However, infected files may be more broadly described as any file reported as malware or potentially unwanted software. |
Block |
Suspicious files |
Suspicious files may display one of more characteristics or behaviors associated with known malware. Files reported as suspicious are often detected proactively and may not have been previously seen by our analysts. Files detected as suspicious are quarantined and users may be prompted to submit these files to us for further analysis, so that specific detection may be added if required. |
Configurable by the Forefront TMG administrator. Default: block |
Corrupted files |
Corrupted files are those that have been modified in some way and may no longer function as intended. |
Configurable by the Forefront TMG administrator. Default: allow |
Encrypted files |
Encrypted files are those that have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to obfuscate its code (make its code unreadable), thus hoping to hinder its detection and removal from the affected computer. |
Configurable by the Forefront TMG administrator. Default: block |
Content delivery methods
Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:
Trickling—Forefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.
Progress notification—Forefront TMG sends an HTML page to the client computer, informing the user that the requested content is being inspected, and displaying an indication of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and displays a button for downloading the content.
For information, see Configuring malware inspection content delivery.
Related Topics
Concepts
Configuring malware inspection
Planning to protect against web browsing threats