I know with MWG6 there was a setting to allow download managers to make it through the proxy. Is there a similar setting in MWG7 or is there some type of built in detection to allow such downloads to work?
probably you are referring to the "Partial Downloads" settings in MWG6. They are part of the default Gateway Anti-Malware rule set. You can try if disabling the rule helps. However it is hard to say what causes the Download Manager to fail - do you have some more information about what is going wrong?
The d/l fails immediately. Disabling the "Remove Partial Content for HTTP(s) Requests" seems to have done the job.
Where else are Partial Requests used and what are we risking by allowing them?
that is good to hear. The "Range" header is used by the download managers to tell the web server to only send a specific range of bytes of a file they host, instead of the complete file. This will allow for example to start five downloads, each requesting 200 KB or a 1 MB file.
Partial downloads are widely used for download managers and accelerators. Usually a download manager should be smart enough to detect the Range header is not supported, and obtain the complete file, but not everyone does this (as seen in your example).
The risk I see is that MWG does not see the complete file any longer, when a download is performed in such a way. If the 1 MB file I used as an example above is a ZIP archive, MWG will only see 5 files of binary data, but MWG will not be able to know that those files belong together and won´t be able to look into the ZIP file. So if there is malware in it, we won´t stop it (it will hopefully be stopped by the clients desktop AV in this case).
Therefore we disable this by default. You could look into the access.log and see if the Download Manager uses a customer User-Agent. In this case you could allow partial downloads only for the download manager (and/or destination) to tighten security.