The ATP settings under "Virus Scanning" are applied globally. We have found that we cannot set the Scan First, then deliver without braking applications and server functions including windows updates.
It would be nice to be able to make exceptions for Virus and ATP protection based on Source IP/User, and even destinations similar to how it is done for SSL Inspection (AKA windows updates).
For exceptions, have the option to Deliver First, Scan First, Disable.
With this I think it would be possible to implement ATP better as there is no one setting fits all.