Web traffic may contain malware such as worms, viruses, and spyware. Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans Web pages and files that were requested by client computers, and either cleans harmful HTTP content, or blocks it from entering the internal network.

The following sections provide information to help you plan malware inspection in your organization:

Deployment considerations

When you plan to deploy malware inspection in your organization, consider the following:

  • Malware inspection is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy Forefront Edge Security and Access Products (http://go.microsoft.com/fwlink/?LinkId=107228).

  • To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or WSUS, and that automatic installation of the latest signatures is enabled. For more information, see Planning for updates of protection definitions.

  • By default, Forefront TMG temporarily accumulates and stores files for malware inspection in the %SystemRoot%\Temp folder. Note that when downloading a large number of files larger than 64KB, performance issues may arise. If you anticipate a large number of large downloads in your organization, it is recommended that you place the ScanStorage folder on a separate physical disk. For information, see Configuring the malware inspection storage location.

  • You might want to exclude selected Web sites from malware inspection for specific reasons:

    • Excluding sources—The main reason for excluding sources from malware inspection is to avoid scanning content more than once, which has a performance cost and is problematic in some scenarios. A typical scenario is when content is scanned for malware by a downstream proxy. In such a case, you should configure the upstream proxy to exclude from scanning all requests coming from the downstream proxy.

    • Excluding destinations—The main reasons for excluding destinations from malware inspection are, to improve performance by the exclusion of trusted sites, and to solve compatibility issues.

    For information, see Defining exemptions to malware inspection.

  • Malware inspection can be disabled globally for troubleshooting purposes, or when using a third-party malware inspection mechanism. For example, you can disable malware inspection, in order to determine whether disabling malware inspection improves performance.

Threat levels

The following table lists the categories that can be assigned to the threats that are detected during malware inspection, and the action taken for each category when malware inspection is enabled. For configuration information, see Configuring malware inspection options.

Threat category Description Action

Low severity threat

Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.

Configurable by the Forefront TMG administrator.

Default: allow

Medium severity threat

Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.

Configurable by the Forefront TMG administrator.

Default: allow

High sensitivity threat

Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.

Configurable by the Forefront TMG administrator.

Default: block

Infected files

Traditionally, infected files refer to files that have been infected by a virus. Viruses insert or add their code to a file to enable the virus to spread. However, infected files may be more broadly described as any file reported as malware or potentially unwanted software.


Suspicious files

Suspicious files may display one of more characteristics or behaviors associated with known malware.  Files reported as suspicious are often detected proactively and may not have been previously seen by our analysts. Files detected as suspicious are quarantined and users may be prompted to submit these files to us for further analysis, so that specific detection may be added if required.

Configurable by the Forefront TMG administrator.

Default: block

Corrupted files

Corrupted files are those that have been modified in some way and may no longer function as intended.

Configurable by the Forefront TMG administrator.

Default: allow

Encrypted files

Encrypted files are those that have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to obfuscate its code (make its code unreadable), thus hoping to hinder its detection and removal from the affected computer.

Configurable by the Forefront TMG administrator.

Default: block

Content delivery methods

Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:

  • Tricking—Forefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.

  • Progress notification—Forefront TMG sends an HTML page to the client computer, informing the user that the requested content is being inspected, and displaying an indication of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and displays a button for downloading the content.

For information, see Configuring malware inspection content delivery.

Related Topics