Cisco Cisco Email Security Appliance C170 Betriebsanweisung
Chapter 10 Outbreak Filters
10-12
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Containers: Specific and Always Rules
Container files are files, such as zipped (.zip) archives, that contain other files.
The TOC can publish rules that deal with specific files within archive files.
The TOC can publish rules that deal with specific files within archive files.
For example, if a virus outbreak is identified by TOC to consist of a .zip file
containing a .exe, a specific Outbreak Rule is published that sets a threat level for
.exe files within .zip files (.zip(exe)), but does not set a specific threat level for
any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule
for a container will always be used in a message's Threat Level calculation
regardless of the types of files that are inside a container. An always rule will be
published by the SIO if all such container types are known to be dangerous.
containing a .exe, a specific Outbreak Rule is published that sets a threat level for
.exe files within .zip files (.zip(exe)), but does not set a specific threat level for
any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule
for a container will always be used in a message's Threat Level calculation
regardless of the types of files that are inside a container. An always rule will be
published by the SIO if all such container types are known to be dangerous.
How the Outbreak Filters Feature Works
Email messages pass through a series of steps, the “email pipeline,” when being
processed by your Cisco IronPort appliance (for more information about the email
pipeline, see
processed by your Cisco IronPort appliance (for more information about the email
pipeline, see
). As the messages
proceed through the email pipeline, they are run through the anti-spam and
anti-virus scanning engines if they are enabled for that mail policy. Only
messages that pass through those scans are scanned by the Outbreak Filters
feature (see
anti-virus scanning engines if they are enabled for that mail policy. Only
messages that pass through those scans are scanned by the Outbreak Filters
feature (see
for
more information about how the email pipeline can affect which messages are
scanned by the Outbreak Filters feature). In other words, known spam or
messages containing recognized viruses are not scanned by the Outbreak Filters
feature because they will have already been removed from the mail stream —
deleted, quarantined, etc. — based on your anti-spam and anti-virus settings.
Messages that arrive at the Outbreak Filters feature have therefore been marked
scanned by the Outbreak Filters feature). In other words, known spam or
messages containing recognized viruses are not scanned by the Outbreak Filters
feature because they will have already been removed from the mail stream —
deleted, quarantined, etc. — based on your anti-spam and anti-virus settings.
Messages that arrive at the Outbreak Filters feature have therefore been marked
Table 10-2
Fallback Rules and Threat Level Scores
Outbreak Rule
Threat Level
Description
.zip(exe)
4
This rule sets a threat level of 4 for .exe files
within .zip files.
within .zip files.
.zip(doc)
0
This rule sets a threat level of 0 for .doc files
within .zip files.
within .zip files.
zip(*)
2
This rule sets a threat level of 2 for all .zip files,
regardless of the types of files they contain.
regardless of the types of files they contain.