Cisco Cisco Email Security Appliance C680 User Guide
10-329
Cisco IronPort AsyncOS 7.3 for Email Configuration Guide
OL-23078-01
Chapter 10 Virus Outbreak Filters
Guidelines for Setting Your Threat Level Threshold
The threat level threshold allows administrators to be more or less aggressive in
quarantining suspicious messages. A low setting (1 or 2) is more aggressive and
will quarantine more messages; conversely, a higher score (4 or 5) is less
aggressive and will only quarantine messages with an extremely high likelihood
of carrying a virus.
quarantining suspicious messages. A low setting (1 or 2) is more aggressive and
will quarantine more messages; conversely, a higher score (4 or 5) is less
aggressive and will only quarantine messages with an extremely high likelihood
of carrying a virus.
IronPort recommends the default value of 3.
How the Virus Outbreak Filters Feature Works
Email messages pass through a series of steps, the “email pipeline,” when being
processed by your IronPort appliance (for more information about the email
pipeline, see
processed by your IronPort appliance (for more information about the email
pipeline, see
). As the messages
proceed through the email pipeline, they are run through the anti-spam (AS) and
anti-virus (AV) scanning engines (only if anti-spam and anti-virus are enabled for
that mail policy). Only messages that pass through those scans are scanned by the
Virus Outbreak Filters feature (see
anti-virus (AV) scanning engines (only if anti-spam and anti-virus are enabled for
that mail policy). Only messages that pass through those scans are scanned by the
Virus Outbreak Filters feature (see
for more information about how the email pipeline can
affect which messages are scanned by the Virus Outbreak Filters feature). In other
words, known spam or messages containing recognized viruses are not scanned
by the Virus Outbreak Filters feature because they will have already been removed
from the mail stream — deleted, quarantined, etc., — based on your anti-spam and
anti-virus settings. Messages that arrive at the Virus Outbreak Filters feature have
therefore been marked virus-free.
words, known spam or messages containing recognized viruses are not scanned
by the Virus Outbreak Filters feature because they will have already been removed
from the mail stream — deleted, quarantined, etc., — based on your anti-spam and
anti-virus settings. Messages that arrive at the Virus Outbreak Filters feature have
therefore been marked virus-free.
Message Scoring
When a new virus is released into the wild, no anti-virus software recognizes it as
a virus yet, so this is where the Virus Outbreak Filters feature can be invaluable.
Incoming messages are scanned and scored by CASE — each message is
compared with published Outbreak and Adaptive Rules (see
a virus yet, so this is where the Virus Outbreak Filters feature can be invaluable.
Incoming messages are scanned and scored by CASE — each message is
compared with published Outbreak and Adaptive Rules (see
). Based on which, if any, rules the message
matches, it is assigned the corresponding virus threat level or VTL. For cases
where a message receives multiple scores (from Outbreak and Adaptive Rules),
see
where a message receives multiple scores (from Outbreak and Adaptive Rules),
see
. If there is no associated VTL (the message does not match
any rules), then the message is assigned a default VTL of 0.