Configuration recommendations for Forefront
Although it's not difficultto implement Forefront Security for Exchange Server, there are some recommended configuration options. Here's a short list:
Bias: Favor Certainty
Action: Delete: remove infection
Body Scanning – Realtime: Disabled by default. The best practice is to keep it disabled for Realtime, except during a virus outbreak. For the Transport Scan Job, this setting is always enabled.
Delete Corrupted Compressed Files: Keep active.
Delete Corrupted Uuencode Files: Keep active
Delete Encrypted Compressed Files:Since these files can't be inspected, enable this option.
Scan Doc Files As Containers - Manual/Transport/Realtime: Activate this option, since this kind of documents can contain embedded worms.
Optimize for Performance By Not Rescanning Messages Already Virus Scanned - Transport: To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server.Keep active.
Scan on Scanner Update: Activate only during virus outbreak, since it can affect performance.
Realtime Process Count/Transport Process Count: It should be twuce the number of server cores (up to 10).
Deliver From Quarantine Security: Keep Secure Mode.
Max Container File Size: Should be equal to the maximum message size allowed for the Exchange Organization.
Enable Background Scan if 'Scan On Scanner Update' Enabled: Applies only to Mailox servers. Keep active.
Scan messages received within the last x days: Keep the default (2 days).
Optimize Scanning Performance for: Keep Realtime Scanning.
For more information, read Forefront Security for Exchange Server Best Practices Guide.