Cisco Cisco Email Security Appliance C650 Guía Del Usuario
14-10
Cisco AsyncOS 8.5 for Email User Guide
Chapter 14 Outbreak Filters
Managing Outbreak Filters (GUI)
Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Spam quarantine). For more information, see
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Spam quarantine). For more information, see
Thus it is important to note that in a message's lifetime, it may actually be quarantined twice — once
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
Outbreak Lifecycle and Rules Publishing
Very early in a virus outbreak’s lifecycle, broader rules are used to quarantine messages. As more
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
Managing Outbreak Filters (GUI)
Log in to the Graphical User Interface (GUI), select Security Services in the menu, and click Outbreak
Filters.
Filters.
Table 14-3
Example Rules for an Outbreak Lifecycle
Time
Rule Type
Rule Description
Action
T=0
Adaptive Rule
(based on past
outbreaks)
(based on past
outbreaks)
A consolidated rule set based
on over 100K message
attributes, which analyzes
message content, context and
structure
on over 100K message
attributes, which analyzes
message content, context and
structure
Messages are automatically quarantined
if they match Adaptive Rules
if they match Adaptive Rules
T=5 min Outbreak Rule
Quarantine messages
containing .zip (exe) files
containing .zip (exe) files
Quarantine all attachments that are .zips
containing a .exe
containing a .exe
T=10
min
min
Outbreak Rule
Quarantine messages that have
.zip (exe) files greater than 50
KB
.zip (exe) files greater than 50
KB
Any message with .zip (exe) files that
are less than 50 KB would be released
from quarantine
are less than 50 KB would be released
from quarantine
T=20
min
min
Outbreak Rule
Quarantine messages that have
.zip (exe) files between 50 to 55
KB, and have “Price” in the file
name
.zip (exe) files between 50 to 55
KB, and have “Price” in the file
name
Any message that does not match this
criteria would be released from
quarantine
criteria would be released from
quarantine
T=12
hours
hours
Outbreak Rule
Scan against new signature
All remaining messages are scanned
against the latest anti-virus signature
against the latest anti-virus signature