Web traffic may contain malware such as worms, viruses, and spyware. Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans Web pages and files that were requested by client computers, and either cleans harmful HTTP content, or blocks it from entering the internal network.
The following sections provide information to help you plan malware inspection in your organization:
Deployment considerations
When you plan to deploy malware inspection in your organization, consider the following:
- Malware inspection is subscription based, and
is part of the Forefront TMG Web Security Service license. For
licensing information, see How to Buy Forefront Edge Security and Access Products
(http://go.microsoft.com/fwlink/?LinkId=107228).
- To keep your systems protected from the
latest threats, verify that Forefront TMG has connectivity to the
selected update source, Microsoft Update or WSUS, and that
automatic installation of the latest signatures is enabled. For
more information, see Planning for updates of
protection definitions.
- By default, Forefront TMG temporarily
accumulates and stores files for malware inspection in the
%SystemRoot%\Temp folder. Note that when downloading a large
number of files larger than 64KB, performance issues may arise. If
you anticipate a large number of large downloads in your
organization, it is recommended that you place the
ScanStorage folder on a separate physical disk. For
information, see Configuring the malware
inspection storage location.
- You might want to exclude selected Web sites
from malware inspection for specific reasons:
- Excluding sources—The main reason for
excluding sources from malware inspection is to avoid scanning
content more than once, which has a performance cost and is
problematic in some scenarios. A typical scenario is when content
is scanned for malware by a downstream proxy. In such a case, you
should configure the upstream proxy to exclude from scanning all
requests coming from the downstream proxy.
- Excluding destinations—The main reasons for
excluding destinations from malware inspection are, to improve
performance by the exclusion of trusted sites, and to solve
compatibility issues.
- Excluding sources—The main reason for
excluding sources from malware inspection is to avoid scanning
content more than once, which has a performance cost and is
problematic in some scenarios. A typical scenario is when content
is scanned for malware by a downstream proxy. In such a case, you
should configure the upstream proxy to exclude from scanning all
requests coming from the downstream proxy.
- Malware inspection can be disabled globally
for troubleshooting purposes, or when using a third-party malware
inspection mechanism. For example, you can disable malware
inspection, in order to determine whether disabling malware
inspection improves performance.
Threat levels
The following table lists the categories that can be assigned to the threats that are detected during malware inspection, and the action taken for each category when malware inspection is enabled. For configuration information, see Configuring malware inspection options.
| Threat category | Description | Action |
|---|---|---|
|
Low severity threat |
Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software. |
Configurable by the Forefront TMG administrator. Default: allow |
|
Medium severity threat |
Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings. |
Configurable by the Forefront TMG administrator. Default: allow |
|
High sensitivity threat |
Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent. |
Configurable by the Forefront TMG administrator. Default: block |
|
Infected files |
Traditionally, infected files refer to files that have been infected by a virus. Viruses insert or add their code to a file to enable the virus to spread. However, infected files may be more broadly described as any file reported as malware or potentially unwanted software. |
Block |
|
Suspicious files |
Suspicious files may display one of more characteristics or behaviors associated with known malware. Files reported as suspicious are often detected proactively and may not have been previously seen by our analysts. Files detected as suspicious are quarantined and users may be prompted to submit these files to us for further analysis, so that specific detection may be added if required. |
Configurable by the Forefront TMG administrator. Default: block |
|
Corrupted files |
Corrupted files are those that have been modified in some way and may no longer function as intended. |
Configurable by the Forefront TMG administrator. Default: allow |
|
Encrypted files |
Encrypted files are those that have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to obfuscate its code (make its code unreadable), thus hoping to hinder its detection and removal from the affected computer. |
Configurable by the Forefront TMG administrator. Default: block |
Content delivery methods
Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:
- Tricking—Forefront TMG sends portions of the
content to the user as the files are inspected. This process helps
prevent the client application from reaching a time-out limit
before the entire content is downloaded and inspected.
- Progress notification—Forefront TMG sends an
HTML page to the client computer, informing the user that the
requested content is being inspected, and displaying an indication
of the download and inspection progress. After download and
inspection of the content are completed, the page informs the user
that the content is ready, and displays a button for downloading
the content.
For information, see Configuring malware inspection content delivery.