The ISA server product has for many years now been one of my favorite firewall / proxy products so it seems like high time for me to do a post on the new version called TMG that is currently in public beta from Microsoft.
Malware detection has become more af a necessety than a nice to have feature of the years but up untill know you required a third party product to integrate this into ISA, while many other vendors have been providing this service out of the box for a very long time. With TMG this all changes and as a new feature you now get integrated malware detection straight out of the box.
Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the Firewall Client software.
Lets have a look:
TMG automatically checks for and downloads new and updated definitions for malware inspection according to a user-defined updating schedule. There is a default 90 day free subscription but after that you will need to pay for the update service.
Malware detection is only available on web access rules and this is where we can see the first change in the TMG interface. TMG still has one single firewall policy rule bas but MS has decided to group Web Access Policies into a seporate tree. The rules you create in the web access policy are merged into the grouping container in the policy list.
Malware inspection can be set enabled or disabled on a per rule bases. Malware inspection is disabled for system policy rules, but this should never be an issue as every good admin knows he/she never surfs the internet from the firewall.
You can configure malware detection options by clicking on the option in the tasks tab in the web access tree.
As you can see in the first two screenshots Malware detetcion can be truned on / off at a general level or you can use exclusians to ensure malware detection never affects a specific network. It's important to not the yellow triangle here. Exclusians apply both to the network object as source OR destination.
As you can see we have quite a few settings to play with. Malware detection ofcourse requires the proxy server to download the files locally first and then send them on down to the client. There are two ways TMG can operate:
- trickle down => Trickling refers to sending small portions of a file to the client application. This is done while the file is being inspected for malware. Trickling helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.
The portions must be very small to minimize the risk of infection because a portion of content sent to the client may contain malicious content that can be detected only when a subsequent portion of the data is inspected. Trickling is performed for all types of files that are not specified for progress notifications. Cleaning is possible only if the file is inspected before passing the content to the client. In the case of trickling, it is not possible to clean the file or replace it with a text notification.
- progress notification => the file is downloaded to the TMG system and scanned befor it is sent on to the cient. To ensure users know what is going on a progress bar can be displayed.
If you want to know what dowload methode was used you can look at the Content Delivery Method field in the monitor window.
In the temporary EMP directory you'll see the temp files being downloaded, they will disapear automatically after you download the file or close your explorer window. The tmp file is an exact copy of the file you where downloading so you can simply rename the file to match the name in the monitoring log if you want
As stated above TMG needs to download the files locally and then inspect them. This is the default location for the download to take place. A folder
Client side view:
On the client side you can see the download progress bar. It's important to note that you will only get the progress bar view if you click on a link from an initial HTML page. However if you directly type the download url into IE the progress bar will not show up (but scanning is preformed in the background)
according to the size of the file being downloaded and the scanning speed of your TMG you will see this message for some time or it will flash by.
after the progress download bar completes you will get a new view with a seporate Download button. Clicking ths will open the default windows donwload window.
If you try to download af file with a malware infectoin you will recieve an message like this one
It's important to know that TMG has a number of new logging fields related to Malware and this is what an infection would look like from a log perspective.
If you want an executive report on malware you can use the report engine to generate an overview
Enjogy TMG and this great new feature !!!