Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
Chapter 10 Virus Outbreak Filters
10-332
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
within an extensive IronPort virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak
messages at all times. While Outbreak Rules take effect when a possible outbreak
is occurring, Adaptive Rules (once enabled) are “always on,” catching outbreak
messages locally before the full anomaly has formed on a global basis.
Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak
messages at all times. While Outbreak Rules take effect when a possible outbreak
is occurring, Adaptive Rules (once enabled) are “always on,” catching outbreak
messages locally before the full anomaly has formed on a global basis.
Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
Figure 10-1
Detection: Multiple Methods, More Parameters
Outbreaks
A Virus Outbreak Filter rule is basically a VTL (e.g. 4) associated with a set of
characteristics for an email message and attachment — things such as file size,
file type, file name, message content, and so on. For example, assume the IronPort
TOC notices an increase in the occurrences of a suspicious email message
carrying a .exe attachment that is 143 kilobytes in size, and whose file name
includes a specific keyword (“hello” for example). An Outbreak Rule is published
increasing the VTL for messages matching this criteria. Your IronPort appliance
checks for and downloads newly published Outbreak and Adaptive Rules every 5
characteristics for an email message and attachment — things such as file size,
file type, file name, message content, and so on. For example, assume the IronPort
TOC notices an increase in the occurrences of a suspicious email message
carrying a .exe attachment that is 143 kilobytes in size, and whose file name
includes a specific keyword (“hello” for example). An Outbreak Rule is published
increasing the VTL for messages matching this criteria. Your IronPort appliance
checks for and downloads newly published Outbreak and Adaptive Rules every 5