Cisco Cisco Email Security Appliance C160 Guía Del Usuario
14-6
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
Modifying Messages
The Outbreak Filters feature modifies the message body of a non-viral threat message not only to rewrite
the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can
modify the subject header and add a disclaimer about the message’s content above the message body.
See
the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can
modify the subject header and add a disclaimer about the message’s content above the message body.
See
for more information.
The threat disclaimer is created using the Disclaimer template through the Mail Policies > Text
Resources page. See
Resources page. See
for more information.
Types of Rules: Adaptive and Outbreak
Two types of rules are used by Outbreak Filters to detect potential outbreaks: Adaptive and Outbreak.
The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused
set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes,
providing instant access to quarantined messages and the reason why they were quarantined.
The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused
set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes,
providing instant access to quarantined messages and the reason why they were quarantined.
Related Topics
•
•
Outbreak Rules
Outbreak Rules are generated by the Cisco Threat Operations Center (TOC), which is a part of the Cisco
Security Intelligence Operations, and focus on the message as a whole, rather than just attachment
filetypes. Outbreak Rules use SenderBase data (real time and historical traffic data) and any combination
of message parameters such as attachment file type, file name keywords, or anti-virus engine update to
recognize and prevent outbreaks in real time. Outbreak Rules are given a unique ID used to refer to the
rule in various places in the GUI (such as the Outbreak quarantine).
Security Intelligence Operations, and focus on the message as a whole, rather than just attachment
filetypes. Outbreak Rules use SenderBase data (real time and historical traffic data) and any combination
of message parameters such as attachment file type, file name keywords, or anti-virus engine update to
recognize and prevent outbreaks in real time. Outbreak Rules are given a unique ID used to refer to the
rule in various places in the GUI (such as the Outbreak quarantine).
Real-time data from the global SenderBase network is then compared to this baseline, identifying
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco customers (for more information, see
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco customers (for more information, see
). Threat Levels
are published as Outbreak Rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE