Hello, we have a new TMG server acting as a proxy. Our users are configured to use the proxy on port 8080 and so far everything is working well.
As a rule, we deny all exe from being downloaded. When users need access to a certain site, we will approve and white list. In the recent days, we have seen the TMG allow certain malicious exe through and actually download to the client computer. To confirm we have performed the following test.
Go to google.com and do a search on Baltimore aquarium address. In the result page, you will find a bunch of results with the following string
If you click on this site, you will be directed to a fake AV website.
As we look at the TMG logs, we can see it block several executable from being downloaded but eventually, we will see a save as dialogue page with a request to save a file called packupdate_build107_195.exe (or a variant).
Hello, actually TMG just has a slow anti-malware response, it was flagged as malicious before because during that time, it hasn't blocked the malicious exe yet. But now that the threat has already been blocked, I guess there's no more need to worry about having TMG as a proxy server.