Configuring global malware inspection settings

This topic describes how to enable malware inspection for HTTP traffic in outbound requests. For general information about malware inspection, see Overview of malware inspection.

Configuring global malware settings consists of the following steps:

  1. Enable malware inspection. With this setting enabled, content sent from server to client or provided by access rules is inspected. Malware inspection is not applied to content sent from client to server or provided by Web publishing rules.
  2. Specify destinations exempt from malware inspection.
  3. Specify how inspected content should be blocked.
  4. Indicate how clients should be informed of progress as content is inspected. For a better user experience files are trickled to clients during inspection. As an alternative you can configure specific content types to display progress notifications instead of trickling.
  5. Specify a location for storing files during the inspection process.

Where to start. In the Forefront TMG Management console tree, click the Firewall Policy node, and select the Web Access Policy tab. Under Policy Editing Tasks, click Configure Malware Inspection.

  • On the General tab, select Enable malware inspection.

To inspect content provided by an access rule, you must first enable malware inspection on the rule properties, in addition to enabling the setting globally.

  1. To specify destinations exempt from malware inspection, on the Exceptions tab, click Add. In the Add Network Entities dialog box, click New, and then select the exempted network objects. You can specify an entire network, computers or IP addresses, or domain name sets and URL sets. If you select domain names, ensure they can be resolved by Domain Name System (DNS).

  2. To modify the default domain set or other exempted network objects, select the appropriate entry, and then click Edit.

  3. To remove the sites from the exemption list, select the appropriate entry, and then click Remove.

  1. On the Inspection Settings tab, specify whether the malware inspection mechanism should attempt to clean files and what type of content should be blocked. It is recommended that you keep the default settings. Note the following:

    • When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. An HTML page is issued to notify the user that the file has been blocked.
    • The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.
    • The setting Block files if archive depth exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.
    • The setting Block archive files if unpacked content is larger than is designed to avoid having small archive files decompress to a large size when unpacked.

  1. During inspection, files are trickled to clients. However, you can configure specific content types to display progress notifications instead of trickling.

  2. To use progress notifications instead of trickling for some content types, on the Content Delivery tab, select Send progress notifications to clients as files are downloaded and inspected.

  3. To specify the content types for which progress notification applies, click Select Content Types.

  4. In Available Types, select content types to add to the default list, and then click Add. To remove a content type, select it in the Selected Types list, and then click Remove.

  • On the Storage tab, specify the folder in which files for inspection should be temporarily held. Ensure that you exempt this folder from inspection by any other antimalware applications running on the Forefront TMG server.