Unable to download files through Forefront TMG 2010 when Malware Inspection is Enabled

1. Introduction

Enhanced Malware Protection (EMP) is the mechanism that Forefront TMG uses to block malware coming through Web access. EMP provides a single point of Malware scanning that ensures all downloaded files are scanned with latest malware definitions. In summary the scanning process occurs in the following manner:

  • HTTP traffic is intercepted by a web filter
  • The content is accumulated in memory or on disk (depending on size)
  • Actual scanning is handled by Microsoft Malware Protection Engine (MPEngine)
  • Engine and signature updates are downloaded by the update center from Microsoft Update and loaded by the EMP scanner without service interruption

Note: for more information on EMP process review the article “Monitoring Malware through the Edge with Microsoft Forefront Threat Management Gateway” at Microsoft Technet .

This post is about a scenario where when the user is trying to download a file and you receive the error message below:

image

On the event viewer you will also notice the event 23461, which says: “The client ClientAddress exceeded the per-client accumulation limit for malware inspection. Requests that generate this event are blocked.”

2. Customizing the Storage Settings

The EMP Resource Allocation manager is responsible for calculate user’s quota while accumulating and scanning requests. The user’s quotas are:

Setting

Description

Disk storage threshold

Specifies the amount of memory used, in kilobytes, at which temporary storage will switch to disk. Its default value is 64 kilobytes, and its range of permissible values is from 4 through 256.

Maximum total storage size

Specifies the maximum total disk space, in gigabytes, that may be used for temporary storage. Its default value is 40 gigabytes, and its smallest permissible value is 4.

Client storage limit

Specifies the maximum disk space, in megabytes, that may be allocated for temporary storage for a single client. Its default value is 50 megabytes, and its smallest permissible value is 0.

Extended client storage limit

Specifies the maximum disk space, in megabytes, that may be allocated for temporary storage for a single client that has been granted the extended disk space storage limit. Its default value is 1024 megabytes, and its smallest permissible value is 0.

Extended limit pool size

Specifies the maximum number of clients that may be granted the extended disk space storage limit concurrently. Its default value is 20 clients, and its smallest permissible value is 0.

From: http://technet.microsoft.com/en-us/library/cc995049.aspx

For scenarios where such error message is appearing and users are unable to download content, you can use the counters below to find out if the limits are reached:

image 
Note: for more information on Malware Inspection counters review the Forefront TMG perfmon counters here .

To change the default user’s quota, refer to Managing temporary storage settings article, there you will find the scripts to view and change the default configuration.

Authors

Bala Natarajan
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team

Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team