When you create a Web access rule and enable malware inspection on that rule, a default set of malware inspection options and thresholds is applied to that rule.
You can adjust these options and thresholds in two ways:
- By modifying the global malware inspection
settings—Settings are applied by default to each access rule on
which malware inspection is enabled.
- By modifying the settings for individual Web
access rules—Per-rule settings override the global malware
inspection settings. For details, see Creating an access
For a description of malware inspection file types, see Planning to protect against malicious Web content.
The following procedure describes how to configure the global malware inspection options.
To configure global malware inspection options
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
On the Tasks tab, click Configure Malware Inspection.
Click the Inspection Settings tab, and specify whether the malware inspection engine should attempt to clean files and what type of content should be blocked. It is recommended that you keep the default settings. Note the following:
- When Attempt to clean infected files
is enabled, files that cannot be cleaned are purged. When using
trickling, Forefront TMG closes the TCP connection and records the
reason in the log. When using progress notification, Forefront TMG
issues an HTML page to notify the user that the file has been
Note: For more information about trickling and progress notification, see Configuring malware inspection content delivery.
- The setting Block suspicious files is
designed to block files that appear to be infected with unknown
- The setting Block corrupted files is
turned off by default. Turning on this setting may cause a false
positive and block files that are not actually harmful.
- The setting Block files if archive depth
level exceeds is designed to block malware that arrives in
archives with deep nesting to avoid detection.
- The setting Block archive files if
unpacked content is larger than (MB) is designed to avoid
decompressing small archive files to a large size when
Note: To scan HTTPS traffic for malware, you must enable HTTPS inspection. For more information, see Configuring HTTPS inspection.
- When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. When using trickling, Forefront TMG closes the TCP connection and records the reason in the log. When using progress notification, Forefront TMG issues an HTML page to notify the user that the file has been blocked.
Copyright © 2009 by Microsoft Corporation. All rights reserved.