Overview of malware inspection

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Web traffic may contain malware (such as worms, viruses, and spyware). Forefront TMG includes malware inspection for scanning, cleaning, and blocking harmful HTTP content and files. When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware.

Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the Firewall Client software.

The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header. If the body is compressed and the encoding scheme is not recognized, Forefront TMG cannot inspect the content. HTTP content compressed with gzip encoding can be decoded, inspected, and encoded in both directions.

When a virus is detected in a file or an archive (for example, a .zip, .tar, or .cab file), Forefront TMG attempts to clean the file, rebuild the archive, and send a cleaned file to the client instead of the infected one. In cases where cleaning is not possible, the infected file is replaced with a text file containing a notification. However, in the case of trickling, it is not possible to clean the file or replace it with a text notification. In this case, downloading is stopped when malware is detected.

User Scenarios

The basic user scenario for malware inspection is downloading content allowed by Web access rules. In this scenario, Forefront TMG can inspect Web pages and files downloaded over HTTP from external Web sites.

When a Web browser sends an HTTP request allowed by an access rule to open an HTML page, the Web browser first downloads the page requested, and then sends multiple requests for embedded elements, including images, scripts, and other types of files. Each embedded element is downloaded as a separate file.

If a Web page contains a link to an executable file, users may download the file by clicking a link to such a file and then clicking Save as to save the link target.

Malware definitions and updates

Forefront TMG uses definitions of known viruses, worms, and other malware for malware inspection. These definitions can be downloaded from the Microsoft Update over the Internet. Forefront TMG automatically checks for and downloads new and updated definitions for malware inspection according to a user-defined updating schedule. At any time, you can also request Forefront TMG to check for new and updated malware definitions. The schedules for obtaining updates are accessed through the Update Center node in Forefront TMG Management. When this node is selected, the time when the last check for new updates was made, the time when the last update was downloaded and installed, and the status of the last attempt to check for updates are displayed in the details pane. 

By default, definitions are updated for every 15 minutes. The Getting Started Wizard provides an opportunity to modify the schedules for obtaining updates for malware inspection. For more information about configuring the schedule for updating malware definitions, see Configuring update settings.

Microsoft requires you to have a subscription license to receive updates for the malware definitions from Microsoft Update after an initial 90-day evaluation period.

Definition updates are downloaded even if malware inspection is disabled. If you do not want Forefront TMG to check for and download updates for malware inspection, follow the procedure for configuring malware definition update settings, and on the Definition Updates tab, in Automatic Update Action, select Do nothing.


You can configure the behavior of the Malware Inspection Filter. In particular, you can configure the Malware Inspection Filter to do the following when malware inspection is enabled.

  • Attempt to clean files that are found to be infected—By default, this option is enabled.

  • Block files with low and medium severity threats—The levels of the threats that are detected during malware inspection are defined as low, medium, high, or severe. By default, only files with threat levels defined as high and severe are blocked. Files with threat levels that are defined as low and medium are not considered harmful.

  • Block suspicious files—By default, this option is enabled.

  • Block files that are found to be corrupted—By default, this option is disabled.

  • Block files that cannot be scanned—By default, this option is disabled.

  • Block all encrypted files—By default, this option is enabled.

  • Block files if the scanning time exceeds the user-defined maximum scanning time—By default, if the scanning time exceeds 300 seconds, the scanning is stopped, and the file is blocked.

  • Block files whose size exceeds the user-defined maximum file size in megabytes—By default, files that are larger than 1000 megabytes are blocked without scanning.

  • Block archives whose unpacked content size exceeds the user-defined maximum unpacked content size in megabytes—By default, files whose unpacked content size is greater than 4095 megabytes are blocked without scanning.

  • Block archives whose archive depth level exceeds the user-defined maximum level—By default, archives whose maximum archive depth level is greater than 20 are blocked without scanning.

Forefront TMG can automatically report information about malware discovered during malware inspection to the Microsoft Response Center. The reports include the source of the malware, its threat level, and the action that was taken, and they can include traffic samples and complete URLs. The Microsoft Response Center uses this information to help identify possible malware-distributing attack patterns. For more information, see About reporting malware-distributing URLs.

Malware inspection exceptions

Consider the scenario in which the administrator decides to exempt high-volume trusted Web sites from inspection to improve the performance. All traffic resulting from requests sent to the following types of destinations can be exempted from malware inspection.

  • IP addresses. The destination IP addresses included in specific network entities can be excluded from malware inspection. All HTTP traffic resulting from requests sent to IP addresses that are included in a network entity listed in the list of exemptions will not be scanned or in any way affected by malware inspection. The network entities included in this list may be computers, computer sets, networks, network sets, subnets, and IP address ranges.

  • Domain name sets. The domain names included in one or more domain name sets can be excluded from malware inspection. All HTTP traffic resulting from requests sent to domain names that are included in a domain name set listed in the list of exemptions will not be inspected for malware.

By default, the following Web sites are excluded in the predefined Sites Exempt from Malware Inspection domain name set:

  • *.microsoft.com

  • *.windowsupdate.com

  • *.windows.com

Malware inspection exceptions override the settings of policy rules. Traffic from and to these destinations will never be inspected.

Content delivery

Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG trickles portions of the content as files are inspected to improve the user experience during malware inspection. As an alternative, Forefront TMG can send progress notifications for specified types of files to reassure the user during this delay.

For more information about trickling and progress notifications, see About content delivery.

Malware inspection settings in policy rules

Each Web access rule has settings for malware inspection. When each rule is created, you can enable malware inspection for it. You can configure whether scanning will be performed for content that the rule allows to be downloaded from the server to the client.

Malware inspection is disabled for system policy rules. A system policy rule that allows HTTP traffic from the Local Host network to the External network permits browsing of the Internet directly from the Forefront TMG computer. HTTP content provided in response to a request that was sent directly from the Forefront TMG computer and allowed by such a system policy rule is excluded from malware inspection. For this reason, we recommend that you do not browse the Internet directly from a Forefront TMG computer. You can block Web sites that are not trusted by adding them to the Restricted sites zone in Internet Explorer on the Forefront TMG computer.

Activity statistics

The overall malware inspection activity is reported in the following two fields in the Forefront TMG activity statistics.

  • Packets scanned by malware inspection

  • Packets blocked by malware inspection

Log fields for malware inspection

The following table summarizes the log fields that are related to malware inspection and the possible values that each field can contain.

Field name (log viewer) Possible values

Content Delivery Method

  • Progress Notification

  • Fast Trickling

  • Standard Trickling

Malware Inspection Result

  • Corrupted File

  • Destination Included in Malware Inspection Exceptions List

  • Encrypted File

  • Infected File

  • Low and Medium Level Threats Not Blocked

  • Malware Inspection Disabled

  • Malware Inspection Disabled for the Matching Policy Rule

  • Malware Inspection Disabled for the Matching Web Chaining Rule

  • Maximum Archive Nesting Exceeded

  • Maximum Size Exceeded

  • Maximum Unpacked File Size Exceeded

  • No Violation Detected

  • Request Served by Malware Inspection Web Filter

  • Request/Response Pair Identified as Exempted Protocol Message

  • Response Identified as a 200 Response to a CONNECT Request

  • Response Originated from Proxy Server

  • Response Scanned Before Being Routed by CARP

  • Storage Space Limit Exceeded

  • Suspicious File

  • Time Out

  • Unknown

  • Unknown Encoding

Malware Inspection Action

  • Allowed

  • Blocked

  • Cleaned

Malware Inspection Duration

Time in milliseconds (0 if not inspected)

Threat Name

Description of the threat

Threat Level

  • Low

  • Medium

  • High

  • Severe


Forefront TMG provides a Malware Inspection content report, which shows the names of current threats, the users and Web sites that generate the largest number of Malware incidents, and statistics regarding the Malware filter and a daily summary of Malware activity.

Events and alerts

The following table lists events that are associated with malware inspection.

Event ID Event description


The Microsoft Firewall service successfully created the new accumulation folder FolderName.


The Microsoft Firewall service could not create or access the accumulation folder FolderName.


The maximum amount of disk space allowed for accumulation by the Malware Inspection Filter was exceeded. Requests that generate this event are blocked.

If the problem persists, allow more disk space for accumulation.


The amount of disk space the Malware Inspection Filter needs for accumulation exceeded the available disk space. Requests that generate this event are blocked.

If the problem persists, move the accumulation folder to another drive with more space, or replace the disk with a larger one.


The client ClientAddress exceeded the per-client accumulation limit for malware inspection. Requests that generate this event are blocked.


Malware inspection is enabled on at least one access or Web publishing rule, but cannot be applied because the the malware inspection feature is not enabled.


The Malware Inspection Filter detected malware and either removed it or blocked the message. See the Web Proxy log for details.


The Malware Inspection Filter failed to load the progress notification template file FileName.


Content requested by a client passed inspection, but the client did not click the Download button on the progress notification page within the allotted time.


The definitions currently used by the Malware Inspection Filter are more than NumberOfDays days old, which exceeds the recommended age for definitions. Scanning effectiveness may be reduced until the definitions are updated. This might be caused by an expired license or problems connecting to Microsoft Update. Examine related events to identify the reason.


The Malware Inspection Filter successfully loaded definitions from the folder FolderName. The files loaded and their versions are:



Definitions for malware inspection could not be loaded from the folder FolderName.


The Malware Inspection Filter failed to delete the folder FolderName, which contains definitions that were replaced by newer versions. The Malware Inspection Filter will automatically attempt to delete this folder again when the Microsoft Firewall service restarts.


One or more licenses to subscription services are about to expire. For more information about the status of your licenses, check the Update Center.


One or more licenses to subscription services have expired. For more information about the status of your licenses, check the Update Center.


The Malware Inspection Filter detected an attempt by the client Client1 to retrieve content originally requested by the client Client2 by using the download identifier supplied with the progress notifications during inspection. The download identifier is DownloadId.

Malware inspection performance counters

The malware inspection performance counters monitor the activity of the Malware Inspection Filter. For more information about the malware inspection performance counters, see Malware protection and URL filtering counters.

Copyright © 2009 by Microsoft Corporation. All rights reserved.