Cisco Cisco Email Security Appliance C650 Guía Del Usuario
10-7
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
(once enabled) are “always on,” catching outbreak messages locally before the full anomaly has formed
on a global basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
on a global basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
Outbreaks
A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco IronPort SIO notices an increase in the occurrences of a suspicious
email message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a
specific keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for
messages matching this criteria. Your Cisco IronPort appliance checks for and downloads newly
published Outbreak and Adaptive Rules every 5 minutes by default (see
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco IronPort SIO notices an increase in the occurrences of a suspicious
email message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a
specific keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for
messages matching this criteria. Your Cisco IronPort appliance checks for and downloads newly
published Outbreak and Adaptive Rules every 5 minutes by default (see
). Adaptive Rules are updated less frequently than Outbreak Rules. On the Cisco IronPort
appliance, you set a threshold for quarantining suspicous messages. If the Threat Level for a message
equals or exceeds the quarantine threshold, the message is sent to the Outbreak quarantine area. You can
also set up a threshold for modifying non-viral threat messages to rewrite any URLs found in suspicious
messages or add a notification at the top of message body.
equals or exceeds the quarantine threshold, the message is sent to the Outbreak quarantine area. You can
also set up a threshold for modifying non-viral threat messages to rewrite any URLs found in suspicious
messages or add a notification at the top of message body.
Threat Levels
provides a basic set of guidelines or definitions for each of the various levels.
For more information about threat levels and outbreak rules, see
.
Guidelines for Setting Your Quarantine Threat Level Threshold
The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
Table 10-1
Threat Level Definitions
Level
Risk
Meaning
0
None
There is no risk that the message is a threat.
1
Low
The risk that the message is a threat is low.
2
Low/Medium
The risk that the message is a threat is low to medium. It is a
“suspected” threat.
“suspected” threat.
3
Medium
Either the message is part of a confirmed outbreak or there is a medium
to large risk of its content being a threat.
to large risk of its content being a threat.
4
High
Either the message is confirmed to be part of a large scale outbreak or
its content is very dangerous.
its content is very dangerous.
5
Extreme
The message’s content is confirmed to part of an outbreak that is either
extremely large scale or large scale and extremely dangerous.
extremely large scale or large scale and extremely dangerous.