Planning for malware inspection

Web traffic may contain malware (such as worms, viruses, and spyware). Microsoft Forefront Threat Management Gateway includes malware inspection for scanning, cleaning, and blocking harmful content and files. Malware inspection is implemented by the Malware Inspection Filter. When malware inspection is enabled, downloaded Web content allowed by access rules may be inspected for malware.

The elements of the Forefront TMG malware inspection configuration include the following:

  • Enabling and disabling malware inspection
  • Malware inspection settings
  • Exceptions that are exempt from malware inspection
  • Temporary storage settings
  • Content delivery settings
  • Enabling and disabling the reporting of malware discovered during malware inspection to Microsoft
  • Settings for obtaining updates

Disabling malware inspection

Malware inspection can be disabled globally for troubleshooting purposes or when the malware inspection mechanism built into Forefront TMG is replaced with a third-party filter. For example, you can turn off malware inspection to determine whether disabling malware inspection will improve performance.

When malware inspection is enabled in your deployment, it can be enabled separately in each access rule for the HTTP traffic that is allowed by the rule.

Configuring the malware inspection settings

You can configure the behavior of the Malware Inspection Filter. In particular, you can configure the Malware Inspection Filter to do the following when malware inspection is enabled:

  • Attempt to clean files that are found to be infected—By default, this option is enabled.
  • Block files with low and medium severity threats—The levels of the threats that are detected during malware inspection are defined as low, medium, high, or severe. By default, only files with threat levels defined as high and severe are blocked. Files with threat levels that are defined as low and medium are not considered harmful.
  • Block suspicious files—By default, this option is enabled.
  • Block files that are found to be corrupted—By default, this option is disabled.
  • Block files that cannot be scanned—By default, this option is disabled.
  • Block all encrypted files—By default, this option is enabled.
  • Block files if the scanning time exceeds the user-defined maximum scanning time—By default, if the scanning time exceeds 300 seconds, the scanning is stopped, and the file is blocked.
  • Block files whose size exceeds the user-defined maximum file size in megabytes—By default, files that are larger than 1000 megabytes are blocked without scanning.
  • Block archives whose unpacked content size exceeds the user-defined maximum unpacked content size in megabytes—By default, files whose unpacked content size is greater than 4095 megabytes are blocked without scanning.
  • Block archives whose archive depth level exceeds the user-defined maximum level—By default, archives whose maximum archive depth level is greater than 20 are blocked without scanning.

Threat levels

The following levels are defined for the threats that are detected during malware inspection:

  • Low
  • Medium
  • High
  • Severe

By default, malware inspection does not block content that contains low and medium level threats.

Malware inspection exceptions

You may want to exclude high-volume trusted Web sites from inspection to improve performance. All traffic resulting from requests sent to the following types of destinations can be exempted from malware inspection:

  • IP addresses. The destination IP addresses included in specific network entities can be excluded from malware inspection. All HTTP traffic resulting from requests sent to IP addresses that are included in a network entity listed in the list of exemptions will not be scanned or in any way affected by malware inspection. The network entities included in this list may be computers, computer sets, networks, network sets, subnets, and IP address ranges.
  • Domain name sets. The domain names included in one or more domain name sets can be excluded from malware inspection. All HTTP traffic resulting from requests sent to domain names that are included in a domain name set listed in the list of exemptions will not be inspected for malware.
  • URL sets. The URLs included in one or more URL sets can be excluded from malware inspection. All HTTP traffic resulting from requests sent to the URLs that are included in a URL set listed in the list of exemptions will not be inspected by malware inspection.

The destinations that are exempt from malware inspection are specified on the Exceptions tab of the Malware Inspection dialog box. By default, the following Web sites are listed as exceptions in the predefined Sites Exempt from Malware Inspection domain name set:

  • *
  • *
  • *

Malware inspection exceptions override the settings of policy rules. Traffic from and to these destinations will never be inspected.

You should exclude only reputable Web sites from malware inspection. You should avoid excluding Web sites such as forums that offer content submitted by users. You should also be wary of Web sites from which users frequently download huge files by sending range requests because a malicious Web site may attempt to use range requests to launch an attack against an organization that uses ISA with malware inspection in the following way.

  • Before sending any malicious content, the Web site builds up a good reputation by providing popular content in huge files. In this stage, the Web site forces users from the targeted organization to use range requests, for example, by aborting connections in which users try to download content without range requests.
  • When the Web site operator is confident that the targeted organization has excluded the Web site from malware inspection, the Web site operator provides malicious content in responses to range requests from the targeted organization.

Storage folder

By default, Forefront TMG uses the %SystemRoot%\Temp folder to temporarily accumulate and store files for malware inspection. You can change the location for temporarily storing files for malware inspection in Forefront TMG Management.

Content delivery settings

Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG trickles portions of the content as files are inspected to improve the user experience during malware inspection. As an alternative, Forefront TMG can send progress notifications for specified types of files to reassure the user during this delay.

The content delivery settings include the following:

  • Enabling or disabling the sending of progress notifications for the specified types of content.
  • A list of the MIME content types and file name extensions for which progress notifications will be used when progress notifications are enabled.

For more information about trickling and progress notifications, see About content delivery.

Reporting information about malware discovered to Microsoft

Forefront TMG can automatically report information about malware discovered during malware inspection to the Microsoft Response Center. The reports include the source of the malware, its threat level, and the action that was taken, and they can include traffic samples and complete URLs. The Microsoft Response Center uses this information to help identify possible malware-distributing attack patterns. For more information, see About reporting malware-distributing URLs.

Forefront TMG uses definitions of known viruses, worms, and other malware for malware inspection. These definitions can be downloaded from the Microsoft Update over the Internet. Forefront TMG automatically checks for and downloads new and updated definitions for malware inspection according to a user-defined updating schedule. At any time, you can also request Forefront TMG to check for new and updated malware definitions. The schedule is accessed through the Update Center node in Forefront TMG Management. When this node is selected, the time when the last check for new updates was made, the time when the last update was downloaded and installed, and the status of the last attempt to check for updates are displayed in the details pane. You can use this information to verify that updates are being obtained as expected after configuration.

By default, definitions are updated every 15 minutes. The Getting Started Wizard provides an opportunity to modify the schedules for obtaining updates malware inspection. For more information about configuring the schedule for updating malware definitions, see Configuring update settings.

Microsoft requires you to have a subscription license to receive updates for the malware definitions from Microsoft Update after a 90-day evaluation period.

Definition updates are downloaded even if malware inspection is disabled. If you do not want Forefront TMG to check for and download updates for malware inspection, follow the procedure for configuring malware definition update settings, and on the Definition Updates tab, in Automatic Update Action, select Do nothing.

Each Web access rule has a setting for malware inspection. When each rule is created, you can enable malware inspection for it. When an access rule allows HTTP traffic, you can configure whether scanning is performed for content that the rule allows to be downloaded from the server to the client.

Malware inspection is disabled for system policy rules. A system policy rule that allows HTTP traffic from the Local Host network to the External network permits browsing of the Internet directly from the Forefront TMG computer. HTTP content provided in response to a request that was sent directly from the Forefront TMG computer and allowed by such a system policy rule is excluded from malware inspection. For this reason, we recommend that you do not browse the Internet directly from a Forefront TMG computer. You can block Web sites that are not trusted by adding them to the Restricted sites zone in Internet Explorer on the Forefront TMG computer.

The overall malware inspection activity is reported in the following two fields in the Forefront TMG activity statistics:

  • Packets scanned by malware inspection
  • Packets blocked by malware inspection

Forefront TMG generates reports about malware inspection activity. The following reports are included:

  • Top Threats. The most frequently detected threats.
  • Top Users. The users for which malware inspection was most frequently performed.
  • Top Sites. The Web sites from which content was inspected most frequently.
  • Top Inspection Times. The Web sites for which client-requested downloads required the longest average inspection time.

You can configure the number of threats, users, and Web sites included in the respective reports.