Enabling malware inspection
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to enable malware inspection for HTTP traffic in outbound requests. In Forefront TMG, you enable malware inspection globally, and then on a per rule basis.
To enable malware inspection in Forefront TMG, you must:
Activate the Web Protection license.
Enable malware inspection on Web access rules.
The following procedures describe how to complete the above steps while enabling malware inspection:
Enabling global malware inspection
Enabling malware inspection on the Web access policy rules
Enabling global malware inspection
To enable global malware inspection
In the Forefront TMG Management console, in the tree, click the server name node.
On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.
Make a selection on the Microsoft Update Setup page, and click Next.
On the Forefront TMG Protection Features Settings page, do the following:
Select one of the licenses to enable Web protection.
If you selected the Activate purchased license and enable Web Protection option, type the license activation code next to Key.
Verify that Enable malware inspection is selected.
Continue advancing through the wizard, and then click Finish.
When you enable malware inspection, Forefront TMG automatically downloads the malware inspection engine and the latest signatures. This initial download may take several minutes, during which time HTTP traffic is not inspected for malware. By default, traffic is allowed on access rules on which malware inspection is applied. However, you can block traffic on those rules. To do this, on the Web Access Policy node, click Configure Malware Inspection, then on the General tab, click Block traffic in relevant rules until the download completes.
Enabling malware inspection on Web access policy rules
After enabling malware inspection globally on Forefront TMG, you must enable it on specific access rules, as follows:
If you are creating new access rules, you can enable inspection via the Web Access Policy Wizard, or the New Access Rule Wizard.
If you already have a rule on which you want to apply malware inspection, you can edit the properties of the rule.
To enable malware inspection using the Web Access Policy Wizard
In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and in the Tasks pane, click Configure Web Access Policy.
Follow the on-screen instructions for creating Web access policy rules.
On the Malware Inspection Settings page, click Inspect Web content requested from the Internet. If required, select Block encrypted archives (for example, zip files).
Continue advancing through the wizard. After you click Finish, click Apply on the Apply Changes bar.
To enable malware inspection using the New Access Rule Wizard
In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and in the Tasks pane, click Create Access Rule.
Follow the on-screen instructions for creating an access rule. For more information, see Creating an access rule.
On the Malware Inspection page, select Enable malware inspection for this rule.
To enable malware inspection on existing rules
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the details pane, right-click the rule you want to modify, and then click Properties.
On the Malware Inspection tab, select Inspect content downloaded from Web servers to clients.
While it is recommended that you keep the default settings, you can set malware inspection options for this rule that are different from those set globally. To do this, click Use rule specific settings for malware inspection. Then click Rule Settings to fine-tune malware inspection block thresholds and other options for this rule. For more information about malware inspection settings, see Configuring malware inspection options.
The next step in enabling malware inspection is to configure malware definition updating, and to enable download of the latest engine and definitions. For instructions, see Configuring malware definition updates.