Configuring Malware Inspection in Forefront TMG 2010

Overview of Malware Inspection

Malware Inspection is a new feature of Forefront TMG 2010 that scans web pages for viruses, malware, and other threats. Web traffic may contain malware such as worms, viruses, and spyware. When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware. Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware Inspection uses the Microsoft Antivirus (MSAV) engine, which provides highly accurate malware detection with the same world-class engine that is used by Microsoft Security Essentials and Microsoft Forefront products. These definitions are downloaded from the Microsoft Update Web Site. Forefront TMG automatically checks for and downloads new and updated definitions for malware inspection, according to a user-defined updating schedule.

The main purpose of the gateway malware inspection feature in Forefront TMG 2010 is to inspect Web traffic on the gateway level to prevent any viruses, worms, Trojan horses, spyware, rootkits and other threats from infecting the computers located inside the organization. This adds another layer of security over simply relying upon the client Antivirus to provide protection.  The core advantages of inspecting traffic against malware at the gateway are:

  • Protects users from downloading malicious files on the Internet
  • Non-Microsoft and unmanaged clients ( machines without host antivirus installed or Host AV not up to date) are also protected because all traffic which goes through TMG 2010 is protected via the malware inspection at the Edge
  • Centralized monitoring and reporting options.
  • Content policy enforcement

So this helps employees to safely and productively use the Internet without worrying about malware and other threats even their workstations are unmanaged.

In the Forefront TMG, first we should enable malware inspection globally, and then on a per-rule basis.
To enable malware inspection in Forefront TMG, we must:

  1. Activate the Web Protection license.
  2. Enable malware inspection on Web access rules.

Global malware inspection settings are configured by clicking the Configure Malware Inspection task under Policy Editing Tasks in the Web Access Policy. These settings will apply to all Web access rules unless explicitly overridden.

Administrators can override the general malware inspection settings on a per-rule Web Access Policy rule basis. For instance, the administrator can define that a specific set of users will be able to download larger files.

 Implementing Malware Inspection:

1. In the Forefront TMG Management Console, in the tree, click Web Access Policy.

2. In the Task tab, click Configure Malware Inspection.

3. Ensure that Enable malware inspection is selected, and then select Block traffic in relevant rules until the download completes.
(This ensures that if the malware inspection engine has not yet acquired a malware definition file, the default action is to block any Access Rules that have malware inspection enabled)

4. On the Malware Inspection dialog box, Click the Destination Exceptions Tab, then click Sites Exempt from Malware Inspection and Click Edit Tab.
This is a default Domain Name Set containing a list of Microsoft DNS domain that are regarded as trustworthy and do not require malware inspection. We can add an existing URL Set or edit the current Domain Name Set to add our some destination Web Sites ( for example Online Internet Banking) that should not be inspected.

5. On the Sites Exempt from Malware Inspection Properties dialog box, Click Add, type *.msserverpro.com and click OK.

6. On the Malware Inspection dialog box, click the Source Exceptions Tab

7. Click Add, Click New, and then click Address Range and specify computers (for example Management Servers, Managers, and IT Department) whose web traffic is exempt from malware inspection.

8. On the Malware Inspection dialog box, click the Inspection Settings Tab.

This defines the global parameters for malware inspection. By default, these settings will apply to every   Web access rule that specifies malware protection. Each of the settings in this tab can be overridden in individual Web access rules.

9. On the Malware Inspection dialog box, click the Content Delivery tab. Ensure that Standard trickling is selected.

Trickling is a feature designed to prevent clients from timing out downloads if they don’t receive the requested content in a reasonable time. This can occur if file scanning takes a long time – either because the file is very large or the server is under load.

Standard trickling sends small bursts of data (50 bytes every 5 seconds) to the client until the entire file is scanned. When selected, specific content types can be nominated for Fast trickling or Notification.

Fast trickling
sends the data to the user as quickly as it can, but holds back the last part of the file until the scan is complete. If this method is nominated, specific content types can be nominated for Notification.

In Content Type Exceptions, ensure that Use progress notification instead of the default content delivery method for the selected content types is selected, and then click Content Types for Progress Notification.

11. Click the Content Types Tab.

View the list of default content types that use progress notifications instead of trickling. We can also specify Selected types of content (for example, application/pdf) will be accepted from Malware Inspection. This option Use Download Progress Notification Instead of the Default Method for the Selected Content Types. By default, there are 66 content types. We can specify more by clicking Content Types for Progress Notification.

12. Click Content Types for Fast Trickling, and click the Content Types Tab.
Scroll down the list and notice how all of the exceptions are audio and video content types. This is to ensure a better user experience for these latency-sensitive applications. Therefore, some content will use this method by default.

13. On the Malware Inspection dialog box, Click the Storage Tab.
Do not changes the default settings for this folder (NTFS permissions and compression); if we have file-based antivirus installed on TMG, we should exclude this folder (%SystemRoot%\Temp\ScanStorage) from the real-time scanning. If TMG Server is heavily loaded, a non-system drive with an appropriate RAID level for performance would be specified.

14. On the Malware Inspection dialog box, Click the Definition Updates Tab. Signature updates can be released multiple times per day, and the best protections is provided if new signatures are obtained as quickly as possible. Leave the default setting, Check for and Install definitions (recommended) under Select automatic definition update action and Automatic polling frequency options are Every15 minutes. This is the recommended setting to receive definition updates.

15. Click the License Details Tab; we will need to purchase the Forefront TMG Web Protection Service, (Subscription-based license per user or per device).

16. When we have finished, Click OK, and then on the Apply Changes bar, click Apply> Apply, click OK to complete the Malware Inspection configuration globally.

Now, Malware Inspection is configured globally, we can override the general malware inspection settings on a per-rule Web Access Policy rule basis. Therefore, we can define that a specific range of IP Addresses or users will be able to download larger files.

1. In the Forefront TMG Management Console, Click Web Access Policy.

2. Select the Access Rule that you want to change, right-click it, and choose Properties.

3. On the Access Rule dialog box, Click Malware Inspection Tab, Malware Inspection is enabled because check box is selected on Inspect content downloaded from Web servers to clients. If we do not want to inspect Malware for this rule, we will simply disable this option.

4. To customize Malware Inspection settings, select the check box Use rule specific settings for malware inspection and click Rule Settings…  Then we have several options for configuring malware blocking behavior.

Testing Malware Inspection using Internet Access:

1. Log on the Client workstation, Open Internet Explorer, browse to http://www.eicar.org/85-0-Download.html

2. Click the file called eicar.com.txt in the download area for HTTPS protocol. The user will receive the notification from TMG.

Note: To scan HTTPS traffic for malware, we must enable HTTPS Inspection. For more information see my previous ISA/TMG article on Configuring HTTPS Inspection in Forefront TMG 2010 Automatically through Active Directory

3. In the Forefront TMG Management console, in the tree, click Monitoring node, click the Alerts tab, and Press F5 to refresh the alert list. Expand the Malware Inspection Filter Detected Malware alert. This shows each instance of the alert.

4. In the Forefront TMG Management console, click Logs & Reports node, click Logging tab, we can see that the file was blocked, along with details about the reason why was blocked.

Summary:

Malware Inspection is a new feature of Forefront TMG 2010 that scans web pages for viruses, malware, and other threats. The best part of TMG Malware Inspection is that administrator can exclude based on Source Exceptions and Destination Exceptions, along with Malware Inspection can be configured on both a global level and a per-access rule level. The above article outlines how to configure Malware Inspection in Forefront TMG 2010. I hope this helps.

 

Leave a Reply

Your email address will not be published. Required fields are marked *