Hi I have enabled malware inspection for HTTP traffic. Tested to download eicar file it blocks. But for many sites TMG is not serving the download for example downloading RealPlayer, 7zip from the main site doesn't show TMG page, it directly downloads through IE and Firefox browser.
Only Microsoft sites are under exception list.
This behavior is risky, if the files are not scanned then there are chances of downloading malicious files to clients PC. We do not block any extensions right now.
Those log file entries indicate that the files are being inspected.
You might need to tune the anti-malware feature. Be aware that only HTTP downloads are inspected, so if you are using other protocols they can bypass inspection. Also, if you haven't enabled outbound SSL inspection, SSL connections won't be inspective either.
Do you have log file entries for the malware that bypassed the scanning?
Hi Tom, Right now I did not enabled HTTPS Inspection and I'm aware that scanning will be performed only on HTTP traffic. The sites under test are HTTP only. I have default malware inspection settings, i'm not sure what might be needed to tweak anti-malware feature, could you point out what tweaking will help?
I have tested Trojan link from malwaredomainlist.com the exe file could be downloadable directly through Firefox Logs URL Destination Host Name 188.8.131.52 URL link smsdzsd.co.cc/x/l.php
Hi Adrian, Thanks for providing the link. I really don't agree with your comment that TMG malware inspection will be effective if configured properly. For example, if you see my earlier post then TMG couldn't detect malicious exe file downloaded from http://184.108.40.206/x/l.php I have also tested with MS Security Essential didn't detect, then i uploaded file to virus total and also scanned with Malwarebytes anti-malware see the results below
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: (No malicious items detected)
Registry Keys Infected: (No malicious items detected)
Registry Values Infected: (No malicious items detected)
Registry Data Items Infected: (No malicious items detected)
Folders Infected: (No malicious items detected)
Files Infected: C:\Users\Testuser\Downloads\svchost.exe (Trojan.Agent.Gen) -> No action taken.
So if Microsoft malware engine misses the detection then we there are chance of infection, until and unless there is dual AV scanning either on client side or at gateway level. Does TMG using same Forefront client security antivirus engine. I'm not sure if we can add another AV engine in TMG
You can't get 100% with a single AV engine and even with 20 or so AV engines.
It's true that more AV engines will be better in terms of detection rate, unfortunately I don't think the malware inspection from TMG currently includes support for multiple AV engines, which I too believe would be very useful. I know it kinda sucks to have an AV and get infected,, but that is not very unusual.
Looks like the file you've submitted was detected by 17 from 42 AV engines, so you could have 5 AV engines simultaneously that could not detect it(actually is not very unusual to see 0 from 42 detected some sample). From my previous link you could had simultaneously McAfee+Symantec+Kaspersky+Trend and get zero detection. Or a few slight modifications to a file and the detection rate on virus total can go drop very fast(here: http://www.carbonwind.net/blog/post/Exercising-TMG-Beta-2-NIS-with-PoC.aspx I've made a silly modification to a file and 10 AV engines were missing it after that, including kaspersky).