Forefront TMG 2010’s Malware Inspection HTML page Progress Notification and Opera
[LEFT][CODE]http://www.carbonwind.net/blog/post/Forefront-TMG-2010e28099s-Malware-Inspection-HTML-page-Progress-Notification-and-Opera.aspx[/CODE]
by [URL="http://www.carbonwind.net/blog/author/adrian.aspx"]adrian[/URL] 6. February 2010 15:38 I’ve received today an email from a TMG 2010 user(Martin) about the Malware inspection feature that displays a progress notification to users.
Forefront TMG can send a HTML page to the client informing the user that the requested content is being inspected and displaying an indicator of the download and Malware inspection progress. See [URL="http://www.isaserver.org/tutorials/Configuring-AntiMalware-functionality-Microsoft-Forefront-TMG.html"]this[/URL] for more details.
According to Martin, Internet Explorer and Firefox were able to make use of this feature.
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_ie.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_ie_thumb.png[/IMG][/URL]
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_ff.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_ff_thumb.png[/IMG][/URL]
But Opera not:
[IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_def.png[/IMG]
Thinking a little bit, I wondered if this has something to do with the [B]User-Agent[/B] of the browser.
Opera can be configured to use a different User-Agent(as explained [URL="http://www.davidtan.org/how-to-change-opera-user-agent-string/"]here[/URL]), so I’ve configured Opera(on Windows bellow) to identify as IE.
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_cfg_spoof_usr_ag.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_cfg_spoof_usr_ag_thumb.png[/IMG][/URL]
Tried again and this time Opera(on Windows) was able to display the Malware Inspection HTML page:
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_thumb.png[/IMG][/URL]
We can see with Wireshark the difference between the original User-Agent and the modified one:
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_wr_usr_ag.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_wr_usr_ag_thumb.png[/IMG][/URL] vs [URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_wr_spoof_usr_ag.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_opera_wr_spoof_usr_ag_thumb.png[/IMG][/URL]
The remaining question is how to tweak TMG instead of Opera, as this should be a single change, rather than a change to every browser. Did not figure this yet.
As a side note, the Malware Inspection HTML page seems to be displayed fine on Chrome 4.0.x(on Windows):
[URL="http://www.carbonwind.net/blog/image.axd?picture=cont_delv_chrome.png"][IMG]http://www.carbonwind.net/blog/image.axd?picture=cont_delv_chrome_thumb.png[/IMG][/URL]
Currently rated 5.0 by 1 people
[/LEFT]