Forefront Security for Exchange Server Best Practices - Bias setting


Applies to: Forefront Security for Exchange Server

Topic Last Modified: 2008-02-04

The bias setting controls how many engines are used to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses are caught. However, the more engines you use, the greater the impact on your system’s performance. While Forefront Security for Exchange Server uses a very efficient in-memory scanning process, each additional engine adds to scanning time and resource usage.

Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that permit maximum performance. It is recommended that, in general, you use all available scan engines.

You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your gateway server, to maximize its performance. Then, you can use several engines on your other servers where performance is not as critical.

It is recommended that you use the same engines and bias settings on all Edge Transport and Hub Transport servers (although the Edge server might benefit from using more engines and a higher bias setting to ensure that all mail is scanned by multiple engines). This ensures the same degree of scanning on inbound, outbound, and internal mail (which gets scanned at the Hub when in transit), and that you avoid unnecessary duplicate scanning.

When using Maximum Certainty, mail flow is held up any time a scan engine is being updated because Maximum Certainty requires that every message be scanned by every selected engine. To provide complete scan engine coverage, mail is queued until the scan engine update is finished (typically less than 30 seconds). To avoid this, you should select Favor Certainty, in which case scanning and mail flow continue by all other selected engines while an engine is being updated.

It is recommended that you set the bias level to Favor Certainty. The Transport Scan Job is your server’s first line of defense against unwanted and malicious messages and attachments, and it is therefore important that as much of the load be taken at this level.

It is recommended that you use Inbound, Outbound, and Internal Scanning on all servers. A message traveling between Exchange servers in different routing groups is transmitted using SMTP; therefore by scanning at this level you can identify and stop an outbreak of an SMTP mass mailer.

It is recommended that you start with Favor Certainty, since the safety of the e-mail infrastructure should be your main concern. This setting ensures scanning with between three and five scan engines.

In Exchange 2007, the default is not to scan mail older than the On-Access cutoff value. It may therefore be opened without having passed through any scan engines. To modify this behavior, see the section “Forefront Security for Exchange Server Best Practices - Deployment considerations”.

It is recommended that the bias setting for the Manual Scan Job be the same as that selected for the Realtime Scan Job.