Archive

Archive for the ‘malware inspection’ Category

Further details and guidance regarding discontinuation of TMG Web Protection Services

December 15th, 2015 No comments

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:-

http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx

We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking.

The services that will be affected by this are:-

– URL Categorization
– Malware Inspection

Importantly, the Microsoft Reputation Services that supports URL Filtering will be turned off on or shortly after the 31st December 2015.

To avoid service impacting issues due to these services no longer being available, or incorrect rule processing where rules rely on URL Categorization categories, we would strongly advise customers review and amend their TMG configurations as follows:-

Review and amend any rules based on URL Categorization categories in your TMG policy

Any Allow and Deny rules that currently use URL Categories or URL Category Sets must be changed to remove the usage of URL filtering categories.

Using URL Sets or Domain Name Sets may provide limited replacement functionality or you may also want to consider a 3rd party URL filtering plug-in or upstream proxy service to provide replacement URL filtering functionality.

Note – If you have rules that are using URL filtering to allow traffic – HTTP traffic can be totally blocked after the service shutdown. Equally, if you use URL Filtering to block access to certain categories then these may be allowed after the change. There is also a possibility that performance issues will be seen if URL Filtering is left enabled after the MRS service is taken offline.

Disable URL Filtering

After amending your TMG policy ensure you then disable URL Filtering. This can be done in the TMG Management Console in the Web Access Policy node by selecting URL Filtering and unchecking the “Enable URL Filtering” check-box. This is essential to avoid TMG trying to contact the MRS services after they go offline.

clip_image002

Malware Inspection may continue to work but would not receive updated signatures

We would recommend implementing an alternative Anti-Virus solution and to disable Malware Inspection once this is in place.

As noted in the previous blog, Forefront Threat Management Gateway 2010, remains under extended support until April 14, 2020.

For details on moving from TMG to our new web publishing solutions please visit this URL:

http://blogs.technet.com/b/applicationproxyblog/archive/2015/07/02/transitioning-to-application-proxy-from-uag-and-tmg.aspx

Some Frequently Asked Questions we’ve had regarding the change are:-

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

For the original announcement of the Forefront product roadmap changes please refer to the following URL:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Categories: EMP, malware inspection, TMG, URL filtering, URLF Tags:

Further details and guidance regarding discontinuation of TMG Web Protection Services

December 15th, 2015 No comments

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:-

http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx

We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking.

The services that will be affected by this are:-

– URL Categorization
– Malware Inspection

Importantly, the Microsoft Reputation Services that supports URL Filtering will be turned off on or shortly after the 31st December 2015.

To avoid service impacting issues due to these services no longer being available, or incorrect rule processing where rules rely on URL Categorization categories, we would strongly advise customers review and amend their TMG configurations as follows:-

Review and amend any rules based on URL Categorization categories in your TMG policy

Any Allow and Deny rules that currently use URL Categories or URL Category Sets must be changed to remove the usage of URL filtering categories.

Using URL Sets or Domain Name Sets may provide limited replacement functionality or you may also want to consider a 3rd party URL filtering plug-in or upstream proxy service to provide replacement URL filtering functionality.

Note – If you have rules that are using URL filtering to allow traffic – HTTP traffic can be totally blocked after the service shutdown. Equally, if you use URL Filtering to block access to certain categories then these may be allowed after the change. There is also a possibility that performance issues will be seen if URL Filtering is left enabled after the MRS service is taken offline.

Disable URL Filtering

After amending your TMG policy ensure you then disable URL Filtering. This can be done in the TMG Management Console in the Web Access Policy node by selecting URL Filtering and unchecking the “Enable URL Filtering” check-box. This is essential to avoid TMG trying to contact the MRS services after they go offline.

clip_image002

Malware Inspection may continue to work but would not receive updated signatures

We would recommend implementing an alternative Anti-Virus solution and to disable Malware Inspection once this is in place.

As noted in the previous blog, Forefront Threat Management Gateway 2010, remains under extended support until April 14, 2020.

For details on moving from TMG to our new web publishing solutions please visit this URL:

http://blogs.technet.com/b/applicationproxyblog/archive/2015/07/02/transitioning-to-application-proxy-from-uag-and-tmg.aspx

Some Frequently Asked Questions we’ve had regarding the change are:-

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

For the original announcement of the Forefront product roadmap changes please refer to the following URL:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Categories: EMP, malware inspection, TMG, URL filtering, URLF Tags:

Further details and guidance regarding discontinuation of TMG Web Protection Services

December 15th, 2015 No comments

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:-

http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx

We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking.

The services that will be affected by this are:-

– URL Categorization
– Malware Inspection

Importantly, the Microsoft Reputation Services that supports URL Filtering will be turned off on or shortly after the 31st December 2015.

To avoid service impacting issues due to these services no longer being available, or incorrect rule processing where rules rely on URL Categorization categories, we would strongly advise customers review and amend their TMG configurations as follows:-

Review and amend any rules based on URL Categorization categories in your TMG policy

Any Allow and Deny rules that currently use URL Categories or URL Category Sets must be changed to remove the usage of URL filtering categories.

Using URL Sets or Domain Name Sets may provide limited replacement functionality or you may also want to consider a 3rd party URL filtering plug-in or upstream proxy service to provide replacement URL filtering functionality.

Note – If you have rules that are using URL filtering to allow traffic – HTTP traffic can be totally blocked after the service shutdown. Equally, if you use URL Filtering to block access to certain categories then these may be allowed after the change. There is also a possibility that performance issues will be seen if URL Filtering is left enabled after the MRS service is taken offline.

Disable URL Filtering

After amending your TMG policy ensure you then disable URL Filtering. This can be done in the TMG Management Console in the Web Access Policy node by selecting URL Filtering and unchecking the “Enable URL Filtering” check-box. This is essential to avoid TMG trying to contact the MRS services after they go offline.

clip_image002

Malware Inspection may continue to work but would not receive updated signatures

We would recommend implementing an alternative Anti-Virus solution and to disable Malware Inspection once this is in place.

As noted in the previous blog, Forefront Threat Management Gateway 2010, remains under extended support until April 14, 2020.

For details on moving from TMG to our new web publishing solutions please visit this URL:

http://blogs.technet.com/b/applicationproxyblog/archive/2015/07/02/transitioning-to-application-proxy-from-uag-and-tmg.aspx

Some Frequently Asked Questions we’ve had regarding the change are:-

Q1. Is it possible to use the MRS Cache to continue to benefit from URL Filtering after 31st December 2015?

A1. No, the MRS cache is a temporary in-memory cache of the latest lookups intended to provide internal efficiency optimizations. It does not provide a full offline cache and cannot be used for this purpose. There is no mechanism to have an offline database.

Q2. Is it possible to extend our usage of Forefront Threat Management Gateway (TMG) Web Protection Services past 31st December 2015?

A2. No, this is not possible. These dates were announced in September 2012 in order to provide sufficient time for alternative solutions to be deployed.

For the original announcement of the Forefront product roadmap changes please refer to the following URL:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Categories: EMP, malware inspection, TMG, URL filtering, URLF Tags:

NIS & Anti-Malware Info is not updated as expected in Update Center

April 12th, 2012 No comments

Today I would like to describe an easy way to solve a small visualization mismatch related to the Update Center of TMG 2010.

If you are a Forefront Threat Management Gateway administrator in a country where English regional settings are not used, it could be possible that, when entering the TMG Update Center section, you’re going to find something like this:

clip_image002

NIS and Malware Inspection are two powerful mechanisms which allow Forefront TMG 2010 to provide full protection against potential network attacks and malicious content.

In case you’re experiencing the above info reported, in particular, there are two possibilities:

1. The checking for and download of up-to-date NIS & Malware versions have really failed.

2. The reported info in the Update center is not up-to-date.

In the first case, the following article could be very useful to troubleshoot signature update failures:

http://technet.microsoft.com/en-us/library/ff358608.aspx

In particular, check in the Update Center Properties form if the server is correctly configured to get the updates from the Microsoft Update servers and/or an internal WSUS server:

clip_image004

When you have excluded any kind of connectivity issue, you’re pretty sure that the new definitions have been correctly downloaded and installed, but you can’t figure out why the info reported in the Update Center section are not correct, you’re probably in the kind of situation which can be solved with the hints described in this article.

The pictures below represent two examples of abstracts of the ISA_UpdateAgent.log file (in the %Windir%\Temp folder) in which the installation of NIS and anti-Malware new signatures has been performed correctly:

clip_image006

clip_image008

You can use the above log file in order to check the NIS/Malware signatures’ last installations status.

The TMG Management console reads the status of the “Last Update Status” and “Last updated” fields, for both NIS and Malware Inspection, from the information contained under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\DefinitionUpdates registry key on each TMG node.

Note: this key actually contains two sub-keys: one for Malware inspection, another one for NIS.

The date and time format used here are related to the regional settings defined for the system accounts of the TMG node. This is because the TMG service, which is responsible for writing this information in the registry, runs under a local system account.

The issue described here where a “Never” status appears for “Last Update status” and “Last Updated”, might occur when the regional settings of the user account executing the MMC are different than the regional settings defined for the system accounts of the TMG node.

For instance, the problem will appear if the Format setting of the system accounts on the TMG nodes is Italian, while the Format setting of the user account executing the MMC is English (United States) – as in the example below:

clip_image009

clip_image010

To solve this, you should make sure that there is a match between the Format setting of the user executing the MMC and the Format setting of the system accounts defined on the TMG nodes. In our example above, this could be solved, for instance, by changing the Format setting of both the user account executing the TMG MMC and of the system accountWelcome screen– to English (United States).

In order to do that, follow this procedure:

Open the “Region & Language” settings panel from the server’s Control Panel and select English (United States) in the Format box:

clip_image012

Click APPLY and go in the “Administrative” section:

clip_image013

Click on “COPY SETTINGS

In the following form, check the “Welcome screen and system accounts” check-box and click OK.

clip_image015

If needed, the above procedure can be implemented considering Italian language – or any other – instead of English, just be sure to apply this to both current user’s and system accounts.

Now reboot the server.

After this procedure, the format of the registry key which is read by the TMG Update Center can be well interpreted.

Coming back to the Update Center, check for new definitions and install them:

clip_image016

clip_image017

The final result should be a correct status, reported in the two columns:

clip_image019

In case you’re running an Array of TMG nodes, and you use the local TMG MMC on EMS machine, you’ll have to change the current user regional settings (Format) of the EMS machine so that they match the system accounts regional settings (Format) of the TMG array members.

In some cases, it’s possible that the registry key values related to the NIS update status still fail to converge. This could be due to a persistent “wrong” value set in the above mentioned registry keys.

It’s quite easy to manually solve this problem:

From Regedit, open the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\DefinitionUpdates\{464716F5-0BAB-494a-A51A-30400DDF127F}

clip_image021

If the UpdateStatus value is set to “b” (in HEX format) this means an un-correct status.

You should now change this UpdateStatus value to “7” and insert in the UpdateTime word a valid value (for example the same value of the CheckTime field).

Now the info in the Update Center should be perfectly reported as “Up-to-date”.

Perform a new check for updated definitions and install them, if needed.

This is for sure not a big problem, and it doesn’t impact the functional level of the NIS & Malware mechanisms, but for sure it’s always beautiful to see a green “Up-to-date” comment in our Update Center 🙂

Hope you enjoyed it and found it useful!

Let’s see you back with the next topic !!

Ciao,

Daniele Gaiulli – MS Support Engineer

Reviewer: Eric Detoc – Senior Escalation Engineer