Forefront security for Exchange Server can be an effective antivirus and antispam solution. However, you'll have to configure the bias and action settings to levels that are optimal for your organization. Learn how in this tip from expert Brien Posey.
If you're opening Forefront's administrative console for the first time, you'll be prompted to specify which server you'd like to connect to. After selecting your server, click OK, and you'll see a message stating that you have 120 days to license Forefront. Although you can license Forefront immediately, I recommend waiting a couple of weeks to make sure that your deployment is stable and is working as expected.
Configuring the scanning engines
After clearing the license-notification message, you'll be taken to the main console screen. The first thing I recommend doing is configuring the scanning engines. A lot of Exchange administrators assume that since Forefront uses five scanning engines, those scanning engines are all being simultaneously used all the time. However, that isn't always the case. If you click on the Antivirus icon within the Settings section, you'll see an option at the bottom of the screen that allows you to set a bias level (Figure 1).
Figure 1. The bias setting provides a tradeoff between accuracy and performance.
Each scanning engine places an additional workload on the server being scanned. Because of this, there's a tradeoff between accuracy and performance. Using all five scanning engines simultaneously will almost certainly catch any viruses passing through the server, but it would hinder the server's performance more than using fewer scanning engines would.
There is also a Maximum Certainty setting, but Microsoft doesn't recommend using it -- even if you have a server with plenty of available resources. If you use the Maximum Certainty setting, Forefront will require every message to be scanned by every scanning engine. The problem here is that scanning engines are updated on a periodic basis and scanning cannot occur during these updates. Therefore, messages will get backed up in the queue until the update process is complete.
Rather than using the Maximum Certainty setting, Microsoft recommends using the Favor Certainty setting. This guarantees that each message is scanned by at least three scanning engines and will be scanned by all five engines if possible.
Beneath the bias drop-down list in the administrative console is an Action option. This allows you to control what happens if Forefront detects a virus. You have the option of detecting the infection, but not doing anything about it (not recommended), cleaning the infection and repairing the attachment, or deleting the infected message.
You should delete all infected messages. I don't recommend repairing infected attachments because I've found it's rare for a legitimate attachment to be infected. Most of the time, infected attachments are connected to spam, which should always be deleted.
I also recommend deleting infected attachments because repairing an infected file is more resource-intensive than deleting it. This wouldn't be a big deal if infected attachments were a rare occurrence, but given the volume of spam that most organizations receive, infected attachments are very common.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
This was first published in March 2010