About content delivery
Because malware inspection may cause some delay in the delivery of content from the server to the client, Microsoft Forefront Threat Management Gateway trickles portions of the content as files are inspected to improve the user experience during malware inspection. As an alternative, Forefront TMG can send progress notifications for specified types of files to reassure the user during this delay.
Trickling
Trickling refers to sending small portions of a file to the client application. This is done while the file is being inspected for malware. Trickling helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected. The portions must be very small to minimize the risk of infection because a portion of content sent to the client may contain malicious content that can be detected only when a subsequent portion of the data is inspected. Trickling is performed for all types of files that are not specified for progress notifications.
- When downloading a large file, Forefront TMG trickles the content to the client as the file is scanned to prevent the application from timing out and the user from canceling the download due to a lack of interaction. When a file is trickled, Forefront TMG begins downloading an initial minimal portion of the file from the remote location, inspects and delivers this minimal portion, and then continues to download, inspect, and deliver the remainder of the file.
Cleaning is possible only if the file is inspected before passing the content to the client. In the case of trickling, it is not possible to clean the file or replace it with a text notification.
If an infection is detected in a file that is being trickled, Forefront TMG resets the connection and does not pass the remaining chunks to the client.
Progress notifications
Instead of sending portions of the requested content during malware inspection, Forefront TMG can send an HTML page to the client. This page informs the user that the requested content is being inspected and displays an indicator of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready and displays a button for downloading the content. Progress notifications are not displayed when content is downloaded over an HTTPS connection.
- You can specify the types of content for which Forefront TMG sends progress notifications by including MIME types and file name extensions in the predefined Content Types Displaying Progress Notifications content type set. By default, this content type set contains MIME types and file name extensions for compressed files and executable files, which cannot be displayed in typical Web browsers.
For HTTP requests, incoming content is identified by its MIME type. When the MIME type is not specified, or when FTP is used, content is identified by the file extension.
If the file is inspected and cleaned, if necessary, before being passed to the client, Forefront TMG sends either the scanned file or an HTML page notifying the user that the file was found to be infected and has been blocked. Such a file is purged immediately from the temporary storage. All cached portions associated with this file are either purged or marked as infected.
If a user clicks a link for downloading an executable file with the .exe file name extension on a Web page in Internet Explorer and then clicks Save, the Save As dialog box opens with details for the HTML notification page.
Content delivery settings
The content delivery settings include the following:
- Enabling or disabling the sending of progress notifications for the specified types of content.
- A list of the MIME content types and file name extensions for which progress notifications are used when progress notifications are enabled.
Malware inspection settings in policy rules
Each Web access rule has a setting for malware inspection. When each rule is created, you can enable malware inspection for it. When an access rule allows HTTP traffic, you can also configure whether scanning is performed for content that the rule allows to be downloaded from the server to the client.