Configuring the AntiMalware functionality in Microsoft Forefront TMG

Keep in mind that the information in this article is based on a beta version of Microsoft Forefront TMG and is subject to change.

Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Let us begin…

A few month ago, Microsoft released Beta 2 from Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exiting features.

Definition of Malware

Wikipedia defines Malware as follows: “Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.”

Malware Protection

With Microsoft Forefront TMG it is possible to protect your network against Malware, before Malware content can reach your internal network because TMG scans all related HTTP traffic for malicious content.

The Malware protection feature in Microsoft Forefront TMG uses the same Malware Protection Engine which is also used in Microsoft Forefront Client Security (FCS), Live One Care and Windows Defender.

Some of the Malware features are configured globally, but it is also possible to configure some settings on a rule base. It is also possible to enable or disable the Malware inspection feature per Firewall policy rule.

General settings

The global Malware settings are configured in the new ISA TMG node called Web Access Policy.

Figure 1: Web Access Policy node

Click Configure Malware Inspection in the right task pane to configure the global settings. The settings in the first register card allows you to enable or disable the Malware Inspection filter. Malware must also be enabled in the Firewall policy rule where you want to use the Malware feature.

Figure 2: Enabling Malware inspection

The standard settings blocks all network traffic when Malware inspection is activated but TMG does not find a Malware Inspection engine update. It is possible to change this behavior, but it reduces the overall security.

Destination exceptions

It is possible to exclude some websites from Malware filtering. Some websites like Microsoft websites are automatically excluded from Malware checking. It is possible to extend the list with your own websites.

Figure 3: Destination exceptions

Source exceptions

Like destination exceptions, Source exeptions exludes some internal clients and Servers from Malware scanning when they open websites.

Inspection settings

The Inspection settings in the Malware protection feature allows the configuration and fine tuning of several settings. It is possible to configure different block settings when the Malware inspection should block infected or suspicious files, or files that cannot be scanned. TMG by default blocks encrypted files.

Figure 4: Inspection settings

It is also possible to configure the Malware inspection to block files when the scanning time exceeds a configured limit or if files to download are larger than the specified size in Megabyte and something more.

Content Delivery

The Content Delivery tab allows TMG Administrator to configure the user experience while the Malware inspection of TMG scans the network traffic. Because downloading larger files can take a relatively long time and the user will normally get a no status message about the download and downloads could run into timeouts, it is possible to configure how the Malware inspection feature displays a progress notification to users. Forefront TMG sends an HTML page to the client. This HTML page informs  users that the requested content is being inspected and displays an indicator of the download and Malware inspection progress.

Figure 5: Content delivery settings

Standard trickling is used to send the requested content at a slow rate to the client who requested the content. The content will be cached on TMG during Malware inspection. Fast trickling is used to find the balance between the end user experience during downloading files and the wish of the TMG Administrator for less file buffering on TMG and more scans. If an infection is found in the file that is trickled to the user, Microsoft Forefront TMG resets the connection and the download is not delivered to the client.


The Storage setting allows TMG Administrator to specify the location for the local temporary storage where the Malware engine temporary places downloaded content which should be scanned for Malware. If TMG Server is heavily loaded, you should specify another directory for the temporary Malware Storage location.

Figure 6: Storage for temporary scanned files during Malware inspection

Update configuration

The Malware inspection feature in TMG is only effective if there are permanent updates for this feature to protect against new Malware. By default, the Malware inspection feature in TMG scans every 15 minutes for updates against the Microsoft servers. You need a valid subscription to use this feature.

Figure 7: Update configuration settings

License Details

The Malware protection feature is licensed for a period of time. It is possible to see the license details in this configuration window.

Figure 8: License details

Update Center

A permanent update of the Malware Inspection filter definitions is absolutely necessary if you want to be protected against the newest tricks of Malware producers. The Update Center allows you to configure updates for several components in Microsoft Forefront TMG.

Figure 9: Update Center

Malware Inspection is configured globally, but can be enabled or disabled for every Firewall rule.

Figure 10: Enable or disable Malware settings

It is also possible to configure rule specific settings for Malware inspection.

Figure 11: Firewall policy rule specific Malware inspection settings

The rule specific settings are the same as the global settings.

Figure 12: Rule specific Malware Inspection settings

User experience

If the Malware inspection finds suspicious content and the content will be blocked, the user gets notified as you can see in the following figure.

Figure 13: User notification if Malware was found


In this article, I gave you an overview on the Microsoft Forefront Threat Management Gateway Antimalware features. I also tried to show you the configuration of the Antimalware functionality and how Administrators can protect its networks. The Antimalware functionality is a great weapon for TMG Administrators to fight against Malware.

Related links

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top