I have been getting more and more questions within the FSSP (ForeFront Security for SharePoint) space. If you are wondering about topology designs or where FSSP might live within a particular SharePoint configuration, please read the following and it will more than likely answer your question:
Using the Acceleration Toolkit for Microsoft Forefront Security for SharePoint
I wrote it to be pretty god damn exhaustive.
At a client of mine today, who has a robust FSSP environment, similar to the larger one I wrote about in this MSDN article:
or if you are just interested in the specific image:
was experiencing an abnormal amount of memory utilization on the WFE’s I had built for them. While they wanted a quick fix, it is important to remember that the scanning processes of FSSP will cause memory consumption depending on how you balance the engines being used. Forefront uses in-memory scanning (FSCRealtimeScanner.exe) and up to 5 scan engines can be employed so each scan process will load the engines that you have enabled under SETTINGS>Anti Virus.
For each of the scanning processes ~ 200-300MB RAM will generally be consumed depending the file being processed since the file being scanned is loaded into memory. Thus, if a scan is being executed on a file that is 200 MB and further 200MB RAM utilized. Once the scan is complete, this memory will return to the available pool.
All this being said, explicit reduction of processes spawned is controllable by modifying the RealtimeProcessCount registry value (HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint), which would require restarting FSSP and SharePoint services, however this should be approached with caution since having several real-time processes allow FSSP to scan more than one file, thus avoiding scan-related bottlenecks.
The only recommendation that can be made is a review of the memory consumption to establish whether the memory consumption is normal, and thus requires expanding the available RAM or whether there is a separate problem.
I get asked a lot about ForeFront topologies, meaning if you are given a SharePoint farm composed of X number of SharePoint components what machines get what. If you are interested in this, please look at my MSDN article:
Using the Acceleration Toolkit for Microsoft Forefront Security for SharePoint.
An acceleration toolkit provides a logical bundling of common documentation, proven server designs, and established research to assist in the accelerated implementation of options for a product. This Acceleration Toolkit for Microsoft Forefront Security for SharePoint (FSSP) targets an arbitrary SharePoint environment, regardless of deployment phase, to provide guidance for architects to rapidly supply full-fidelity FSSP enablement.