Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
15-10
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 15 Outbreak Filters
How the Outbreak Filters Feature Works
Dynamic Quarantine
The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages
until they’re confirmed to be threats or it’s safe to deliver to users. (See
until they’re confirmed to be threats or it’s safe to deliver to users. (See
for more information.) Quarantined messages can be released from the Outbreak
quarantine in several ways. As new rules are downloaded, messages in the Outbreak quarantine are
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
Please note that messages quarantined as virus attacks are not automatically released from the outbreak
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.
Messages are also released from the Outbreak quarantine after CASE’s recommended retention period
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
The Email Security appliance also releases messages when the quarantine is full and more messages are
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
•
Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
•
Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)
Overflow releases stop the moment the Outbreak quarantine is below 100% capacity. For more
information about how quarantine overflow is handled, see
information about how quarantine overflow is handled, see
and
Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Spam quarantine). For more information, see
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Spam quarantine). For more information, see
Thus it is important to note that in a message's lifetime, it may actually be quarantined twice — once
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
Related Topics
•