Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
14-6
Cisco AsyncOS 8.5 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
Real-time data from the global SenderBase network is then compared to this baseline, identifying
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco customers (for more information, see
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco customers (for more information, see
). Threat Levels
are published as Outbreak Rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.
While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled)
are “always on,” catching outbreak messages locally before the full anomaly has formed on a global
basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic
and structure, providing updated protection to customers.
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.
While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled)
are “always on,” catching outbreak messages locally before the full anomaly has formed on a global
basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic
and structure, providing updated protection to customers.
Outbreaks
A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive
Rules every 5 minutes by default (see
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive
Rules every 5 minutes by default (see
). Adaptive Rules are
updated less frequently than Outbreak Rules. On the appliance, you set a threshold for quarantining
suspicous messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the
message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral
threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of
message body.
suspicous messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the
message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral
threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of
message body.