Cisco Cisco Email Security Appliance X1070 User Guide
Chapter 10 Outbreak Filters
10-6
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
The SIO website provides a list of current non-viral threats, including spam,
phishing, and malware distribution attempts:
phishing, and malware distribution attempts:
http://tools.cisco.com/security/center/home.x
Context Adaptive Scanning Engine
Outbreak Filters are powered by Cisco IronPort’s unique Context Adaptive
Scanning Engine (CASE). CASE leverages over 100,000 adaptive message
attributes tuned automatically and on a regular basis, based on real-time analysis
of messaging threats.
Scanning Engine (CASE). CASE leverages over 100,000 adaptive message
attributes tuned automatically and on a regular basis, based on real-time analysis
of messaging threats.
For virus outbreaks, CASE analyzes the message content, context and structure to
accurately determine likely Adaptive Rule triggers. CASE combines Adaptive
Rules and the real-time Outbreak Rules published by SIO to evaluate every
message and assign a unique threat level.
accurately determine likely Adaptive Rule triggers. CASE combines Adaptive
Rules and the real-time Outbreak Rules published by SIO to evaluate every
message and assign a unique threat level.
To detect non-viral threats, CASE scans messages for URLs and uses Outbreak
Rules from SIO to evaluate a message’s threat level if one or more URLs are
found.
Rules from SIO to evaluate a message’s threat level if one or more URLs are
found.
Based on the message’s threat level, CASE recommends a period of time to
quarantine the message to prevent an outbreak. CASE also determines the rescan
intervals so it can reevaluate the message based on updated Outbreak Rules from
SIO. The higher the threat level, the more often it rescans the message while it is
quarantined.
quarantine the message to prevent an outbreak. CASE also determines the rescan
intervals so it can reevaluate the message based on updated Outbreak Rules from
SIO. The higher the threat level, the more often it rescans the message while it is
quarantined.
CASE also rescans messages when they’re released from the quarantine. A
message can be quarantined again if CASE determines that it is spam or contains
a virus upon rescan.
message can be quarantined again if CASE determines that it is spam or contains
a virus upon rescan.
For more information about CASE, see
Delaying Messages
The period between when an outbreak or email attack occurs and when software
vendors release updated rules is when your network and your users are the most
vulnerable. A modern virus can propagate globally and a malicious website can
deliver malware or collect your users’ sensitive information during this period.
vendors release updated rules is when your network and your users are the most
vulnerable. A modern virus can propagate globally and a malicious website can
deliver malware or collect your users’ sensitive information during this period.