Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 10 Outbreak Filters
10-16
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Outbreak Lifecycle and Rules Publishing
Very early in a virus outbreak’s lifecycle, broader rules are used to quarantine
messages. As more information becomes available, increasingly focused rules are
published, narrowing the definition of what is quarantined. As the new rules are
published, messages that are no longer considered possible virus messages are
released from quarantine (messages in the outbreak quarantine are rescanned as
new rules are published).
messages. As more information becomes available, increasingly focused rules are
published, narrowing the definition of what is quarantined. As the new rules are
published, messages that are no longer considered possible virus messages are
released from quarantine (messages in the outbreak quarantine are rescanned as
new rules are published).
Table 10-1
shows an example of a virus outbreak’s life cycle.
Managing Outbreak Filters (GUI)
Log in to the Graphical User Interface (GUI), select Security Services in the
menu, and click Outbreak Filters.
menu, and click Outbreak Filters.
Table 10-3
Example Rules for an Outbreak Lifecycle
Time
Rule Type
Rule Description
Action
T=0
Adaptive Rule
(based on past
outbreaks)
(based on past
outbreaks)
A consolidated rule set based
on over 100K message
attributes, which analyzes
message content, context and
structure
on over 100K message
attributes, which analyzes
message content, context and
structure
Messages are automatically
quarantined if they match Adaptive
Rules
quarantined if they match Adaptive
Rules
T=5 min
Outbreak Rule
Quarantine messages
containing .zip (exe) files
containing .zip (exe) files
Quarantine all attachments that are
.zips containing a .exe
.zips containing a .exe
T=10 min
Outbreak Rule
Quarantine messages that
have .zip (exe) files greater
than 50 KB
have .zip (exe) files greater
than 50 KB
Any message with .zip (exe) files that
are less than 50 KB would be released
from quarantine
are less than 50 KB would be released
from quarantine
T=20 min
Outbreak Rule
Quarantine messages that
have .zip (exe) files between
50 to 55 KB, and have “Price”
in the file name
have .zip (exe) files between
50 to 55 KB, and have “Price”
in the file name
Any message that does not match this
criteria would be released from
quarantine
criteria would be released from
quarantine
T=12 hours
Outbreak Rule
Scan against new signature
All remaining messages are scanned
against the latest anti-virus signature
against the latest anti-virus signature