Cisco Cisco Email Security Appliance C650 Guía Del Usuario
10-9
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
message’s threat level. Based on which, if any, rules the message matches, CASE assigns the
corresponding threat level. If there is no associated threat level (the message does not match any rules),
then the message is assigned a threat level of 0.
corresponding threat level. If there is no associated threat level (the message does not match any rules),
then the message is assigned a threat level of 0.
Once that calculation has been completed, the Email Security appliance checks whether the threat level
of that message meets or exceeds your quarantine or message modification threshold value and
quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed
along for further processing in the pipeline.
of that message meets or exceeds your quarantine or message modification threshold value and
quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed
along for further processing in the pipeline.
Additionally, CASE reevaluates existing quarantined messages against the latest rules to determine the
latest threat level of a message. This ensures that only messages that have a threat level consistent with
an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the
quarantine after an automatic reevaluation.
latest threat level of a message. This ensures that only messages that have a threat level consistent with
an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the
quarantine after an automatic reevaluation.
In the case of multiple scores for an outbreak message — one score from an Adaptive Rule (or the highest
score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score
if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.
score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score
if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.
Note
It is possible to use the Outbreak Filters feature without having enabled anti-virus scanning on the Cisco
IronPort appliance. The two security services are designed to complement each other, but will also work
separately. That said, if you do not enable anti-virus scanning on your Cisco IronPort appliance, you will
need to monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in
the Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
IronPort appliance. The two security services are designed to complement each other, but will also work
separately. That said, if you do not enable anti-virus scanning on your Cisco IronPort appliance, you will
need to monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in
the Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
•
You should disable Adaptive Rules
•
Messages will get quarantined by Outbreak Rules
•
Messages will get released if the threat level is lowered or time expires
Downstream anti-virus vendors (desktops/groupware) may catch the message on release.
Note
Anti-spam scanning needs to be enabled globally on an appliance in order for the Outbreak Filters
feature to scan for non-viral threats.
feature to scan for non-viral threats.
Dynamic Quarantine
The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages
until they’re confirmed to be threats or it’s safe to deliver to users. (See
until they’re confirmed to be threats or it’s safe to deliver to users. (See
for more information.) Quarantined messages can be released from the Outbreak
quarantine in several ways. As new rules are downloaded, messages in the Outbreak quarantine are
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
Please note that messages quarantined as virus attacks are not automatically released from the outbreak
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.