Testing and Monitoring Forefront TMG Malware Inspection and Intrusion Prevention (NIS) Systems


Scott Glew

Scott Glew

Forefront TMG's Intrusion Prevention System has been one of TMG's major selling points due to the introduction of the Network Inspection System (NIS). NIS is a fully fledged enterprise level intrusion detection and prevention system (IDS/IPS) that utilizes a 'Generic Application Protocol Analyzer' (GAPA) to match traffic patterns above layer 3.

Forefront TMG also comes with a comprehensive Malware Inspection system for scanning, cleaning, and blocking harmful HTTP content and files.

Once you have enabled these features, it is a good idea to test and monitor their behaviour to ensure your network is adequately protected.

Testing Forefront TMG's Intrusion Prevention System (IPS / NIS)

Once you have enabled and configured NIS, it is a good idea to test that it is working. The Forefront TMG Team detailed how to do this using a test signature (see  Exercising NIS with test signature), however this article is now outdated, as the test signature has been renamed, and there is no longer a link to the test signature URL in the properties dialog.

I have therefore copied the signature URL below for your testing pleasure:!2@34$5%6^


Make sure you have enabled and configured Forefront TMG's Intrusion Prevention System, then hit the URL above. You will be presented with TMG's block page:

Forefront TMG Block Page - Blocked by IPS (12234)

Monitoring IPS Events

If you are running Fastvue TMG Reporter, you will soon see this event appear on the Firewall dashboard in the IPS Events section.

Latest Forefront TMG IPS Events Shown on the Fastvue Dashboard

You can also use TMG Reporter to email you a detailed alert when IPS events occur.

Receiving Forefront TMG IPS Alerts via Email

Testing Forefront TMG's Malware Inspection System

Forefront TMG's Malware Inspection system can also easily be tested by downloading the Eicar Anti Malware test file(s). When attempting to download these files you will again be presented with TMG's block page.

Note that you will not be presented with the block page when downloading the Eicar zip files, but TMG does indeed intercept them and silently removes (cleans) the infected files from the zip file.

Forefront TMG Block Page - Blocked Due to Infection

Monitoring Malware Events

Again, you will soon see these events appear in the Fastvue Firewall Dashboard in the Malware Events section.

Latest Forefront TMG Malware Events shown on the TMG Reporter Dashboard

And of course, you can configure TMG Reporter to email you these details when they occur.

Receiving Forefront TMG Malware Events via Email


By actively monitoring Forefront TMG's Intrusion Prevention and Malware Inspection events, you can identify the source of these vulnerabilities and take immediate action. This might involve cleaning an infected machine, modifying access rules, or even adding URL Category overrides to categorize a newly identified malicious site. If you do not take action, and if Forefront TMG is ever removed from your network, the threat will re-emerge and you are open to an attack.

Happy monitoring!

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story

Hunting IE6 Zombies with TMG Reporter

Old machines running IE6 with no updates are a big security concern. TMG Reporter can send instant alerts when these 'zombie' machines make a connection.
TMG Reporter

New TMG Reporter Features: Custom Reports, SQL Support and more

Forefront TMG reporting just received a huge upgrade with the new features in the latest Fastvue TMG Reporter release. Custom Reports, SQL Support and more.
TMG Reporter