Antivirus settings

Applies to: Microsoft Antigen

Configure the scan job with your engine, bias setting, action, and quarantine selections.

Bias setting

The bias setting controls how many engines are used to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be detected. However, the more engines you use, the greater the impact on your system’s performance. While Antigen for Exchange uses a very efficient in-memory scanning process, each additional engine adds to scanning time and resource usage.

Therefore, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance.

After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job.

You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its system performance. Then, you can use several engines on your mailbox servers.

It is recommended that you use the same engines and bias settings on all Gateway servers. This ensures the same degree of scanning on inbound, outbound, and internal mail, and also helps to prevent unnecessary duplicate scanning.

When using Maximum Certainty, mail flow is held up whenever a scan engine is being updated because Maximum Certainty requires that every message be scanned by every selected engine. To provide complete scan engine coverage, mail is queued until the scan engine update is finished (typically, less than 30 seconds). To avoid this, you should select Favor Certainty, in which case scanning and mail flow continue via all other selected engines while an engine is being updated.

SMTP Scan Job bias

It is recommended that you set the bias level to Favor Certainty. This is your server’s first line of defense against unwanted and malicious messages and attachments; therefore, as much of the load as possible should be handled at this level. It is recommended that you use Inbound, Outbound, and Internal Scanning on all servers. A message traveling between Exchange servers in different routing groups will be transmitted by using SMTP. Therefore, by scanning at this level, you can identify and stop an outbreak of an SMTP mass mailer and keep it on the server from which it originated.

Realtime Scan Job bias

It is recommended that you set the bias level to Favor Certainty, because the safety of the e-mail infrastructure should be your main concern. This setting will ensure that all of the available engines are used (those that are not being updated) and that no e-mail messages can be opened without having passed through the maximum number of engine scans.

Manual Scan Job bias

It is recommended that the settings be the same as those you select for the Realtime Scan Job.

Action

It is recommended that you set the action setting to Delete: Remove Contents. Attempting to clean and repair an attachment was more useful years ago, when cleanable viruses were more common and valid documents were often infected. The virus world has changed over the years, and the vast majority of viruses today are not cleanable. Also, a valid infected file is much less common. Most of the time, the entire attachment is a virus and has no valid content. Because the attempt to clean the virus requires additional processing resources—which, in most cases, are wasted—the Delete option is a better choice.

Quarantine files

The Quarantine feature provides an added level of security because you can retrieve a message that has been incorrectly tagged as a virus. However, there is overhead involved in quarantining files, particularly if many viruses are captured each day. Large organizations can block millions of viruses in a month. Many of these, however, might be worm viruses that are never quarantined. Ideally, you want to quarantine detected viruses, but you might determine that the better course is to simply delete them, even at the risk of losing valid e-mail message content. Not quarantining or sending notifications can greatly simplify your virus management, but this includes the risk of losing e-mail communications that users might want to receive.