Cisco Cisco Email Security Appliance C160 Guía Del Usuario
14-7
Cisco AsyncOS 8.5 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
Threat Levels
provides a basic set of guidelines or definitions for each of the various levels.
For more information about threat levels and outbreak rules, see
.
Guidelines for Setting Your Quarantine Threat Level Threshold
The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
The same threshold applies to both virus outbreaks and non-virus threats, but you can specify different
quarantine retention times for virus attacks and other threats. See
quarantine retention times for virus attacks and other threats. See
more information.
Cisco recommends the default value of 3.
Containers: Specific and Always Rules
Container files are files, such as zipped (.zip) archives, that contain other files. The TOC can publish
rules that deal with specific files within archive files.
rules that deal with specific files within archive files.
For example, if a virus outbreak is identified by TOC to consist of a .zip file containing a .exe, a specific
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
Table 14-1
Threat Level Definitions
Level
Risk
Meaning
0
None
There is no risk that the message is a threat.
1
Low
The risk that the message is a threat is low.
2
Low/Medium
The risk that the message is a threat is low to medium. It is a
“suspected” threat.
“suspected” threat.
3
Medium
Either the message is part of a confirmed outbreak or there is a medium
to large risk of its content being a threat.
to large risk of its content being a threat.
4
High
Either the message is confirmed to be part of a large scale outbreak or
its content is very dangerous.
its content is very dangerous.
5
Extreme
The message’s content is confirmed to part of an outbreak that is either
extremely large scale or large scale and extremely dangerous.
extremely large scale or large scale and extremely dangerous.
Table 14-2
Fallback Rules and Threat Level Scores
Outbreak Rule
Threat Level
Description
.zip(exe)
4
This rule sets a threat level of 4 for .exe files within .zip files.