ForeFront TMG 2010 not scanning for malware

Hi,

Regarding the following article from technet we setup a TMG 2010 a couple of years ago for the purpose of malware inspection.

Last week we had some pentesters to run some test on our network and to our surprise a Zeus virus could be downloaded en upload to a random selfmade server via HTTP and TMG allowed the connection.

My settings are the following:

Malware inspection is enabled

No source and destination exceptions are defined

NIS and Malware inspections are up to date.

The link to the technet article is:

https://technet.microsoft.com/en-us/library/dd182018.aspx

Could you please help me find out why TMG 2010 is not scanning for the any malware? We tried with Cryptolocker and Zeus. Virustotal ratio is min. 52/57.

February 26th, 2015 7:42am

Hi,

Have you checked TMG logging?

Please make the malware inspection global settings are configured correctly, including exceptions, inspections settings...

Malware Inspection at the Perimeter

Please also test with all Malware Inspection options in Inspection Setting checked.

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 10:03pm

Hi Joyce,

Thanks for you reply!

I checked you article and the malware inspection is up to date and enabled. Also there is no destination or source exception defined. The only destination exceptions are the default ones.

I also tried to download the file with all the checkbox enabled, but the zeus virus .exe file is allowed and an encrypted or corrupted zip file are denied.

When I tried with the eicar testfile it is being blocked by the url instead of the file. I can download a .exe of zipped eicar testfile and is not being blocked. I tested it also with the cryptolocker ware and thats also being allowed.

The logging says, the traffic is allowed by the http rule.

Do you have another solution?

March 4th, 2015 2:15pm

You will also want to make sure that the individual rule has Malware scanning enabled. Having it enabled globally is not good enough. Keep in mind that the TMG Product Group stopped releasing definitions for this some time back and never made a public announcement that I could find.

TMG was also never meant to be a "total" solution. You always want to do security in layers which means you should have Antivirus on all of your client machines and servers in your environment.

Free Windows Admin Tool Kit Click here and download it now
March 6th, 2015 10:52am

You will also want to make sure that the individual rule has Malware scanning enabled. Having it enabled globally is not good enough. Keep in mind that the TMG Product Group stopped releasing definitions for this some time back and never made a public announcement that I could find.

TMG was also never meant to be a "total" solution. You always want to do security in layers which means you should have Antivirus on all of your client machines and servers in your environment.

March 6th, 2015 3:50pm

You will also want to make sure that the individual rule has Malware scanning enabled. Having it enabled globally is not good enough. Keep in mind that the TMG Product Group stopped releasing definitions for this some time back and never made a public announcement that I could find.

TMG was also never meant to be a "total" solution. You always want to do security in layers which means you should have Antivirus on all of your client machines and servers in your environment.

Free Windows Admin Tool Kit Click here and download it now
March 6th, 2015 3:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics