Configuring malware inspection optional settings

Applies To: Forefront Threat Management Gateway (TMG)

When you create a Web access rule and enable malware inspection on that rule, a default set of malware inspection options and thresholds is applied to that rule.

You can adjust these options and thresholds by modifying the following settings:

  • Global malware inspection settings—Settings are applied by default to each access rule on which malware inspection is enabled. See Configuring global malware inspection options.

  • Individual Web access rules settings—Per-rule settings override the global malware inspection settings. See Configuring per-rule malware inspection settings.

For both configuration options, note the following:

  • When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. When using trickling, Forefront TMG closes the TCP connection and records the reason in the log. When using progress notification, Forefront TMG issues an HTML page to notify the user that the file has been blocked.

    For information about trickling and progress notification, see Configuring content delivery for malware inspection.

  • The setting Block suspicious files is designed to block files that appear to be infected with unknown malware.

  • The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.

  • The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.

  • The setting Block archive files if unpacked content is larger than (MB) is designed to avoid decompressing small archive files to a large size when unpacked.

Configuring global malware inspection settings

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. On the Tasks tab, click Configure Malware Inspection.

  3. Click the Inspection Settings tab, and fine-tune global malware inspection block thresholds and other options.

Configuring per-rule malware inspection settings

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the details pane, right-click the rule you want to modify, and then click Properties.

  3. On the Malware Inspection tab, verify that Inspect content downloaded from Web servers to clients is selected. Click Use rule specific settings for malware inspection, and then click Rule Settings.

  4. Use the Edit Rule Malware Inspection Settings dialog box to fine-tune malware inspection block thresholds and other options for this rule.


Configuring malware inspection in Forefront TMG secure Web gateway