Monitoring Malware Through the Edge with Microsoft Forefront Threat Management Gateway

**Security Tip of the Month – November 2008
See other Security Tips of the Month

By Yuri Diogenes(Security Support Engineer -- Microsoft ISA and IAG Team)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Microsoft recently announced that the first version of Microsoft® Forefront™ Threat Management Gateway (TMG) was released to manufacturing as part of the Windows® Essential Business Server 2008. The new era of firewall has several new features that could be highlighted in this article; however, the focus here is the key feature for this release: malware inspection through the Malware Inspection Filter. With this new feature it is possible to mitigate threats on the edge of your network, which helps prevent workstations from being infected by malware while accessing web pages using HTTP.

The goal of this article is to describe how you can monitor your traffic using the following perspectives:

  Monitoring with real-time logging – New fields on the dashboard and real-time logging allow you to instantly see if the traffic contains a piece of malware, the threat level, and whether it was cured.

  On-demand reporting – New reports allow you to work proactively to investigate trends and identify systems that may be compromised.

Dealing with Malware on the Edge

By definition malware is a generic term used to qualify a malicious piece of software, such as a worm or a virus. The malware inspection feature in Forefront TMG can help mitigate malware proliferation from the Web by inspecting the traffic in your perimeter and preventing malware access to your internal network. The diagram below illustrates the flow of traffic.


Figure 1. Basic Malware Inspection Flow

The steps for malware inspection are as follows:

  1. User browser sends a HTTP GET Request for an external Website in an attempt to download a file.
  2. Acting as proxy, Forefront TMG intercepts the request and sends it to the external site.
  3. External website answers the request with a HTTP Response.
  4. Forefront TMG accumulates the content, times the download, and inspects the file.
  5. When content is downloaded and inspected in less than x seconds, TMG passes the whole file to the client. If download and inspection takes more than x seconds, a gauge will indicate that inspection is taking place.

You can monitor this functionality by watching the Logs using Monitoring Logging option. There you will see each request and the action that was done.

Watch Malware Detection in Real Time

Using the Monitoring logging in Forefront TMG you can create filters and take advantages of new columns that will show more information about the files that client is trying to download. Figure 2 (below) shows an example of the log of a file that was blocked by Forefront TMG because it is infected by malware.


Figure 2. Monitoring Logging

The “Threat Name” column clearly indicates the name of the threat and the severity of this threat is shown under the “Threat Level” column. It is important to emphasize that depending on the configuration it’s possible that low or medium level malware is allowed. Operating in real time, this log instantly provides the information an administrator needs to react quickly in response to a security risk. When TMG blocks or removes malware it generates a warning alert (Malware Inspection Filter Detected Malware).  This alert is disabled by default but may be enabled if the admin prefers knowing immediately about any detected malware. The alert definition may be fine-tuned to make it less noisy.

In addition, when a threat is detected, Forefront TMG generates a page (see example in Figure 3) that provides information about why it was not possible to download that file.


Figure 3. Screenshot of message from Forefront TMG

Note: there will be some specific scenarios where Forefront TMG will not send this page to the client and it will only close the connection. However the threat identification will still be showing up in the log. 

While reactive actions are necessary when situations arise, proactive work can help administrators verify trends, mitigate potential issues, and better understand the IT environment. Forefront TMG has new reporting categories that highlight malware protection as follows:

  • Top Threats – Threats that were found during the malware inspection process
  • Top Websites – Identifies websites where malwares were found
  • Top Users – Identifies users that downloaded the infected content
  • Inspection Duration – Amount of time Forefront TMG took to scan content
  • Inspection Statistics – Additional information about the inspection process, such as the number of files scanned, cleaned, and more

Each report can be customized with parameters defined by the administrator. For example, the administrator can specify that the report needs to include the top 15 threats that were identified. Figure 4 shows an example of a Forefront TMG report.


Figure 4. Forefront TMG Report, Inspection Statistics Session

With a Forefront TMG report, administrators can address issues such as:

  • Identifying the users that were downloading compromised content and discovering why those users were downloading compromised content.
  • Identifying websites that may have been compromised and determining whether those sites should be blocked.

The information provided by Forefront TMG reports can help you work proactively to enhance the security of your environment.


Virtual threats continue to increase, which requires ever smarter and more robust safeguards for your IT environment. This scenario of secure inbound and outbound access with dynamic signatures capabilities is becoming more and more common due the nature of the current industry. Using Forefront Threat Management Gateway malware inspection capabilities to view real-time logs and extensive reports will help administrators work reactively and proactively to better protect their IT environment.

You can find more information about Forefront Threat Management Gateway Malware Inspection and Reports in the TMG Deployment Guide.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Yuri Diogenes (MCSE+S, MCTS, MCITP, Security+, Network+, CCNP) works for Microsoft as Security Support Engineer on the ISA Server/IAG Team based on the Texas campus. He also writes articles for ISA Server Team Blog, for TechNet Magazine and it is the co-author of the Forefront Community page called “Tales from the Edge.”