Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 4: Configuring Virus and Content Filtering

If you would like to read the other parts in this article series please go to:

Introduction

In Part 3 in this series on the TMG email hygiene solution, we went over the details of the anti-spam feature configuration. In this part 4, we will take a look at the Virus and Content Filtering features.

Virus and Content Filtering

In the TMG firewall console, click on the Email Policy node in the left pane. In the middle pane of the console, click the Virus and Content Filtering tab. This exposes the three content filtering options available for TMG email protection. These are:

  • File Filtering: File filtering allows you to control which file attachments are allowed into and out of your network’s email system

  • Virus Filtering: Virus filtering enables you to block malware from coming into and leaving your email system

  • Message Body Filtering: Message Body Filtering enables you to control inbound and outbound email messages based on the content of the messages themselves

In the figure below, you can also see two links indicating that Content Filtering and Virus Filtering are enabled.


Figure 1

File Filtering

Let us start with the File Filtering option. Click the File Filtering link in the middle pane. In the File Filtering dialog box, you will first encounter the File Filters tab. Here you can configure file filters to prevent attached files from reaching or leaving your organization. Click the Add button, as shown in Figure 2 below.


Figure 2

This brings up the File Filter dialog box. On the General tab, you can choose from the following options:

  • Enable this filter: This option turns the filter on or off

  • Filter name: This provides a space for you to enter an easy to remember name for the filter that you’re creating here

  • Action for messages matching this filter: This enables you to choose from the following actions: Skip, Identify, Delete and Purge. The Skip option checks the message and logs an entry if it matches the filtering criteria, but then forwards the message on to its next destination. The Identify option tags the subject line with a customizable word, which can be used for inbox messaging filtering. The Delete option deletes the message and Purge removes the message from the system.

  • Scan inbound messages: When you enable this option, TMG will inspect the inbound messages that are sent to your email organization.

  • Scan outbound messages: When you enable this option, TMG will inspect the outbound messages that are sent from your email organization.

The General tab options are shown in Figure 3 below.


Figure 3

Now click the File Types tab. Here you have the ability to control which file types you want to be inspected. When a type of file you choose to inspect is discovered, the action you configured on the General tab will be executed. Note that this is a feature of Forefront Protection for Exchange (FPE), so detection is for the actual file type, not just the file extension. This is good, because files can be renamed to show an extension indicating it is a different file type from what it really is. You can see the File Types tab in Figure 4 below.


Figure 4

Next, click the File Names tab. Here you can configure file names for which the system will search in email attachments. You can enter a complete file name, or you can take advantage of wildcard characters such as “?” and “*”. The question mark is used to replace a single character within a string, while the asterisk can be used to replace an unknown number of characters. The File Names tab is shown in Figure 5.


Figure 5

Antivirus Configuration

Now let us take a look at the email anti-virus configuration on the TMG firewall. Click the Virus Filtering link in the middle pane of the console. There are many benefits to using multiple antivirus engines: it increases the likelihood that new threats will be caught even if not all of the engines have been updated with an emerging threat and it provides redundancy so that if one engine fails or is being updated, the others can still scan. You can enable up to five different engines. Note that more engines equal more thorough scanning, but the number of engines can also affect performance.

The first tab we will look at here, then, is the Engines tab. Here you have the following options:

  • Use automatic engine management: When you select this option, FPE will decide which antivirus engines to use and how they are to be applied.

  • Manually enable up to 5 engines: Choose this option if you want to control which engines are used and control the engine selection or use policy. When you choose this option, you must select one or more AV engines from the list.

  • Always scan with all selected engines: When you choose the engines you want, you then need to define an Intelligent Engine Selection Policy. When you select the Always scan with all selected engines option, FPE will scan the message using all the engines you selected.

  • Scan with a subset of selected engines that are available: An available engine is one that isn’t in the process of being updated. When an engine is being updated, it’s marked as unavailable, so when you select this option, it doesn’t wait for all engines to be available before completing the message check. All engines that are available are used when you select this option.

  • Scan with a dynamically chosen subset of selected engines: This option uses heuristics based on recent results and statistical projects to choose which engines to use to scan the messages. Over time, an average of half of the selected engines will be used to scan messages.

  • Scan with only one of the selected engines: This option also uses heuristics based on recent results and statistical projections to choose a single engine to use to scan the messages.

You can see all of these options in Figure 6.


Figure 6

Now let’s click the Remediation tab. Here you have the following options:

  • Skip (detect only): This option detects and reports on a virus when it is discovered, but it still forwards the message, complete with malware, to its next port of call. This is usually not the best option.

  • Clean (repair attachment): This option attempts to clean the attachment and then deliver the cleaned attachment to its next destination. If TMG is unable to clean the attachment, the attachment will be removed and an attachment with the deletion text will be included.

  • Delete: This option will delete the infected attachment and a file with the deletion text will replace the infected attachment.

  • Enable: This option enables the deletion text, which is a .txt file that contains the deletion text that you enter into the deletion text section

  • Deletion Text: This is the information that is included in the deletion text file. The %File% entry will be replaced with the name of the file that was deleted.

You can see this dialog box in Figure 7.


Figure 7

Finally, let us click the Options tab. Here you will see the following options:

  • Scan doc files as containers: You can set this option to scan .doc files that use OLE embedded data as container files so that the embedded files are also scanned.

  • Container scanning timeout (seconds): The default timeout is 120 seconds for container scanning but you can change this value here.

  • Action to perform upon reaching scanner timeout: Here you choose what action to perform when the timeout limit is reached.

  • Action to perform for illegal MIME headers: Here you choose what action to perform if an illegal MIME header is found (for example, purge or delete).

  • Transport sender information: This setting determines how transport sender information is determined.

  • Purge message if body is deleted: By default, the message is purged if the message body is deleted.

  • Optimize for performance (do not rescan message): By default, messages are not re-scanned after the filtering action is performed. This speeds performance but you can change it here.

The Options tab is currently undocumented – so we will have to wait for an update of the TMG documentation to determine more about the nature and function of these settings. I have notified Tom that he should log a document bug on this issue 🙂 Meanwhile, see these options in Figure 8.


Figure 8

Message Body Filtering

Click on the Message Body Filtering link in the middle pane of the console. On the Message Body Filtering dialog box, click on the Message Body Filters tab. Click the Add button. This brings up the Message Body Filter dialog box that’s shown in Figure 8. On the General tab, you have the following options:

  • Enable this filter: This enables the filter you’re creating.

  • Filter Name: Provides a space for a friendly name you can use to identify this filter.

  • Action for messages matching this filter: Enables you to choose from the actions Skip, Identify, Delete and Purge. Skip checks the message and logs if it matches the criteria, but then forwards the message to its next destination. Identify tags the subject line with a customizable word that can be used for inbox messaging filtering. Delete deletes the message and Purge removes the message from the system.

  • Scan inbound messages: When enabled, this option configures FPE to scan inbound messages coming into your email organization.

  • Scan outbound messages: When enabled, configures FPE to scan outbound messages leaving your organization.


Figure 9

Click the Keywords tab in the Message Body Filters dialog box, as shown in Figure 10. Here you can define keywords to check for within the body of the message. You can enter discrete words or you can take advantage of keyword list syntax rules, which act as queries against the contents of the message. The query syntax is somewhat complex; however, the TMG firewall team did a good job of detailing how to construct these queries, complete with examples. Check out their instructions here.


Figure 10

Summary

In this, part 4 in our series on the TMG firewall’s email hygiene solution, we went over the Virus and Content Filtering options. Using TMG, you can block both inbound and outbound mail that contains malware; or messages that contain content within the subject or body of the message that you deem unacceptable. In the next and last part of this series, we will go over the procedure used to create the Edge Subscription with the back-end Exchange Server. This is a valuable feature because it allows you to perform recipient filtering so that messages addressed to users who are not in organization can be blocked.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top