Cisco Cisco Email Security Appliance C650 Guía Del Usuario
10-3
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Phishing, Malware Distribution, and Other Non-Viral Threats
Messages containing non-viral threats are designed to look like a message from a legitimate sources and
often sent out to a small number of recipients. These messages may have one or more of the following
characteristics in order to appear trustworthy:
often sent out to a small number of recipients. These messages may have one or more of the following
characteristics in order to appear trustworthy:
•
The recipient’s contact information.
•
HTML content designed to mimic emails from legitimate sources, such as social networks and
online retailers.
online retailers.
•
URLs pointing to websites that have new IP addresses and are online only for a short time, which
means that email and web security services do not have enough information on the website to
determine if it is malicious.
means that email and web security services do not have enough information on the website to
determine if it is malicious.
•
URLs pointing to URL shortening services.
All of these characteristics make these messages more difficult to detect as spam. The Outbreak Filters
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
If CASE discovers URLs in the message, it compares the message to existing Outbreak Rules to
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
Outbreak Filters - Multi-Layered Targeted Protection
The Outbreak Filters feature uses three tactics to protect your users from outbreaks:
•
Delay. The Outbreak Filters feature delays messages that may be part of a virus outbreak or
non-viral attack by quarantining the message. While quarantined, CASE receives updated Outbreak
Rules and rescans the message to confirm whether any of them is part of an attack. CASE determines
the rescan period based on the message’s threat level. See
non-viral attack by quarantining the message. While quarantined, CASE receives updated Outbreak
Rules and rescans the message to confirm whether any of them is part of an attack. CASE determines
the rescan period based on the message’s threat level. See
for more
information.
•
Redirect. Based on the threat level, Outbreak Filters rewrites the URLs in non-viral attack messages
to redirect the recipient through the Cisco web security proxy if they attempt to access any of the
linked websites. The proxy displays a splash screen that warns the user that the website may contain
malware, if the website is still operational, or displays an error message if the website has been taken
offline. See
to redirect the recipient through the Cisco web security proxy if they attempt to access any of the
linked websites. The proxy displays a splash screen that warns the user that the website may contain
malware, if the website is still operational, or displays an error message if the website has been taken
offline. See
for more information on redirecting URLs.
•
Modify. In addition to rewriting URLs in non-viral threat messages, Outbreak Filters can modify a
message’s subject and add a disclaimer above the message body to warn users about the message’s
content. See
message’s subject and add a disclaimer above the message body to warn users about the message’s
content. See
for more information.
Cisco Security Intelligence Operations
Cisco Security Intelligence Operations (SIO) is a security ecosystem that connects global threat
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
SIO consists of three components: