Cisco Cisco Email Security Appliance C680 User Guide
Chapter 10 Outbreak Filters
10-14
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
monitor your anti-virus vendor’s updates and manually release or re-evaluate
some messages in the Outbreak quarantine. When using Outbreak Filters without
anti-virus scanning enabled, keep the following in mind:
some messages in the Outbreak quarantine. When using Outbreak Filters without
anti-virus scanning enabled, keep the following in mind:
•
You should disable Adaptive Rules
•
Messages will get quarantined by Outbreak Rules
•
Messages will get released if the threat level is lowered or time expires
Downstream anti-virus vendors (desktops/groupware) may catch the message on
release.
release.
Note
Anti-spam scanning needs to be enabled globally on an appliance in order for the
Outbreak Filters feature to scan for non-viral threats.
Outbreak Filters feature to scan for non-viral threats.
Dynamic Quarantine
The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area
used to store messages until they’re confirmed to be threats or it’s safe to deliver
to users. (See
used to store messages until they’re confirmed to be threats or it’s safe to deliver
to users. (See
for more
information.) Quarantined messages can be released from the Outbreak
quarantine in several ways. As new rules are downloaded, messages in the
Outbreak quarantine are reevaluated based on a recommended rescan interval
calculated by CASE. If the revised threat level of a message falls under the
quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it
spends in the quarantine. If new rules are published while messages are being
re-evaluated, the rescan is restarted.
quarantine in several ways. As new rules are downloaded, messages in the
Outbreak quarantine are reevaluated based on a recommended rescan interval
calculated by CASE. If the revised threat level of a message falls under the
quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it
spends in the quarantine. If new rules are published while messages are being
re-evaluated, the rescan is restarted.
Please note that messages quarantined as virus attacks are not automatically
released from the outbreak quarantine when new anti-virus signatures are
available. New rules may or may not reference new anti-virus signatures;
however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than
your Threat Level Threshold.
released from the outbreak quarantine when new anti-virus signatures are
available. New rules may or may not reference new anti-virus signatures;
however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than
your Threat Level Threshold.
Messages are also released from the Outbreak quarantine after CASE’s
recommended retention period has elapsed. CASE calculates the retention period
based on the message’s threat level. You can define separate maximum retention
times for virus outbreaks and non-viral threats. If CASE’s recommended retention
recommended retention period has elapsed. CASE calculates the retention period
based on the message’s threat level. You can define separate maximum retention
times for virus outbreaks and non-viral threats. If CASE’s recommended retention