Important This article contains information that shows you how to help to lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, Microsoft recommends that you evaluate the risks that are associated with implementing this resolution in your particular environment. If you choose to implement this resolution, take any appropriate additional steps to help to protect your system.
When you use Microsoft Forefront Threat Management Gateway (TMG) 2010 Malware Scanning, you can limit the size of files that are downloaded by using the Block files larger than (MB) option.
Note The Block files larger than (MB)option is on the Inspection Settings tab of the Malware Inspection dialog box.
If you set the value for this option so that TMG 2010 scans very large files, TMG Malware Scanning takes longer than expected. For example, a 4 gigabyte (GB) file can take as long as 30 minutes for the Malware Inspection engine to scan.
Note You cannot configure TMG Malware Scanning to perform a partial scan and to scan only the first few megabytes of downloaded files.
Symptoms
Warning This resolution may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Microsoft does not recommend this resolution but is providing this information so that you can choose to implement this resolution at your own discretion. Use this resolution at your own risk.
To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base article:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1This hotfix introduces a new setting, ScanMaxSizeOnlyIfExceeds. This setting changes the behavior of the Block files larger than (MB) configuration setting from being a limit on the maximum size of downloaded files to a partial scan limit in megabytes when you set ScanMaxSizeOnlyIfExceeds to True.
When ScanMaxSizeOnlyIfExceeds is set to True, no size limit is applied to downloaded files. However, when you download a file is larger than the value that is set in the Block files larger than (MB) option, only a portion of the file (equal to the size that is set in that option) is scanned.
The default setting of ScanMaxSizeOnlyIfExceeds is False. You can apply this setting at the Array level or at the Rule level. To enable the setting by using a script, select the appropriate script from the ones that are presented below, and then run it on one of the array members. You can also use the TMG Management Console to set the value of Block files larger than (MB) option.
Arrary level script
Copy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
cscript EnableMaxSizeScanAllowRule.vbs
Const SE_VPS_GUID = "{DFAEF493-C442-4F80-9622-5DA4143287D8}"
Const SE_VPS_NAME = "ScanMaxSizeOnlyIfExceeds"
Const SE_VPS_VALUE = true
Sub SetValue()
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
set malwareInspectionSettings = array.MalwareInspectionSettings
set scannerSettings = malwareInspectionSettings.ScannerSettings
Set VendorSets = scannerSettings.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue
Rule level script
Copy the following script into Notepad, save the script with the name EnableMaxSizeScanAllowRule.vbs, and then at a command prompt run the script as follows:
cscript EnableMaxSizeScanAllowRule /RuleName:”MyRule”Replace the placeholder MyRule with the name of the relevent TMG Access rule.
Const SE_VPS_GUID = "{DFAEF493-C442-4F80-9622-5DA4143287D8}"
Const SE_VPS_NAME = "ScanMaxSizeOnlyIfExceeds"
Const SE_VPS_VALUE = true
Sub SetValue()
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
ruleName= WScript.Arguments.Named("RuleName")
set rule = array.ArrayPolicy.PolicyRules.Item(ruleName)
set malwareInspectionSettings = rule.MalwareInspectionProperties
set scannerSettings = malwareInspectionSettings.ScannerSettings
Set VendorSets = scannerSettings.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue
To revert the changes that you made by using the Array script or the Rule script, and to revert to the default behavior of the Block files larger than (MB) setting, edit the relevant script and change the following line from:
Const SE_VPS_VALUE = trueTo:
Const SE_VPS_VALUE = falseThen, rerun the script using the appropriate instructions.
Resolution
Important! Please be aware that, when you set ScanMaxSizeOnlyIfExceeds to False, you introduce a security risk. This occurs because a large file that contains malware in the unscanned section of the file could be passed by TMG to the client.
Microsoft recommends full file scanning. Therefore, we advise that you use this setting only after you carefully consider the risk and only if you use a defense-in-depth approach to malware detection, including appropriate client-side anti-malware software.
