Cisco Cisco Email Security Appliance C650 Guía Del Usuario
14-8
Cisco AsyncOS 8.0 for Email User Guide
Chapter 14 Outbreak Filters
How the Outbreak Filters Feature Works
How the Outbreak Filters Feature Works
Email messages pass through a series of steps, the “email pipeline,” when being processed by your Cisco
appliance (for more information about the email pipeline, see
appliance (for more information about the email pipeline, see
). As the messages proceed through the email pipeline, they are run through the anti-spam and
anti-virus scanning engines if those engines are enabled for that mail policy. In other words, known spam
or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they
will have already been removed from the mail stream — deleted, quarantined, etc. — based on your
anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore
been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked
as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on
updated spam rules and virus definitions.
or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they
will have already been removed from the mail stream — deleted, quarantined, etc. — based on your
anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore
been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked
as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on
updated spam rules and virus definitions.
Note
Messages that skip anti-spam and anti-virus scanning due to filters or the engines being disabled will
still be scanned by Outbreak Filters.
still be scanned by Outbreak Filters.
Message Scoring
When a new virus attack or non-viral threat is released into the wild, no anti-virus or anti-spam software
is able to recongnize the threat yet, so this is where the Outbreak Filters feature can be invaluable.
Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules
(see
is able to recongnize the threat yet, so this is where the Outbreak Filters feature can be invaluable.
Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules
(see
). The message score corresponds with the
message’s threat level. Based on which, if any, rules the message matches, CASE assigns the
corresponding threat level. If there is no associated threat level (the message does not match any rules),
then the message is assigned a threat level of 0.
corresponding threat level. If there is no associated threat level (the message does not match any rules),
then the message is assigned a threat level of 0.
Once that calculation has been completed, the Email Security appliance checks whether the threat level
of that message meets or exceeds your quarantine or message modification threshold value and
quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed
along for further processing in the pipeline.
of that message meets or exceeds your quarantine or message modification threshold value and
quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed
along for further processing in the pipeline.
Additionally, CASE reevaluates existing quarantined messages against the latest rules to determine the
latest threat level of a message. This ensures that only messages that have a threat level consistent with
an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the
quarantine after an automatic reevaluation.
latest threat level of a message. This ensures that only messages that have a threat level consistent with
an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the
quarantine after an automatic reevaluation.
In the case of multiple scores for an outbreak message — one score from an Adaptive Rule (or the highest
score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score
if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.
score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score
if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.
Note
It is possible to use the Outbreak Filters feature without having enabled anti-virus scanning on the Cisco
appliance. The two security services are designed to complement each other, but will also work
separately. That said, if you do not enable anti-virus scanning on your Cisco appliance, you will need to
monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in the
Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
appliance. The two security services are designed to complement each other, but will also work
separately. That said, if you do not enable anti-virus scanning on your Cisco appliance, you will need to
monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in the
Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
•
You should disable Adaptive Rules
•
Messages will get quarantined by Outbreak Rules
•
Messages will get released if the threat level is lowered or time expires
Downstream anti-virus vendors (desktops/groupware) may catch the message on release.