Cisco Cisco Email Security Appliance C650 Guía Del Usuario
10-13
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
spam- and virus-free. Note that a message quarantined by Outbreak Filters may
be marked as spam or containing a virus when it is released from the quarantine
and rescanned by CASE, based on updated spam rules and virus definitions.
be marked as spam or containing a virus when it is released from the quarantine
and rescanned by CASE, based on updated spam rules and virus definitions.
Message Scoring
When a new virus attack or non-viral threat is released into the wild, no anti-virus
or anti-spam software is able to recongnize the threat yet, so this is where the
Outbreak Filters feature can be invaluable. Incoming messages are scanned and
scored by CASE using the published Outbreak and Adaptive Rules (see
or anti-spam software is able to recongnize the threat yet, so this is where the
Outbreak Filters feature can be invaluable. Incoming messages are scanned and
scored by CASE using the published Outbreak and Adaptive Rules (see
). The message score corresponds with
the message’s threat level. Based on which, if any, rules the message matches,
CASE assigns the corresponding threat level. If there is no associated threat level
(the message does not match any rules), then the message is assigned a threat level
of 0.
CASE assigns the corresponding threat level. If there is no associated threat level
(the message does not match any rules), then the message is assigned a threat level
of 0.
Once that calculation has been completed, the Email Security appliance checks
whether the threat level of that message meets or exceeds your quarantine or
message modification threshold value and quarantines message or rewrites its
URLs. It the threat level is below the thresholds, it will be passed along for further
processing in the pipeline.
whether the threat level of that message meets or exceeds your quarantine or
message modification threshold value and quarantines message or rewrites its
URLs. It the threat level is below the thresholds, it will be passed along for further
processing in the pipeline.
Additionally, CASE reevaluates existing quarantined messages against the latest
rules to determine the latest threat level of a message. This ensures that only
messages that have a threat level consistent with an outbreak message stay within
the quarantine and messages that are no longer a threat flow out of the quarantine
after an automatic reevaluation.
rules to determine the latest threat level of a message. This ensures that only
messages that have a threat level consistent with an outbreak message stay within
the quarantine and messages that are no longer a threat flow out of the quarantine
after an automatic reevaluation.
In the case of multiple scores for an outbreak message — one score from an
Adaptive Rule (or the highest score if multiple Adaptive Rules apply), and another
score from an Outbreak Rule (or the highest score if multiple Outbreak Rules
apply) — intelligent algorithms are used to determine the final threat level.
Adaptive Rule (or the highest score if multiple Adaptive Rules apply), and another
score from an Outbreak Rule (or the highest score if multiple Outbreak Rules
apply) — intelligent algorithms are used to determine the final threat level.
Note
It is possible to use the Outbreak Filters feature without having enabled anti-virus
scanning on the Cisco IronPort appliance. The two security services are designed
to complement each other, but will also work separately. That said, if you do not
enable anti-virus scanning on your Cisco IronPort appliance, you will need to
scanning on the Cisco IronPort appliance. The two security services are designed
to complement each other, but will also work separately. That said, if you do not
enable anti-virus scanning on your Cisco IronPort appliance, you will need to