Cisco Cisco Email Security Appliance C160 Mode D'Emploi
14-8
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 14 Outbreak Filters
How the Outbreak Filters Feature Works
•
Guidelines for Setting Your Quarantine Threat Level Threshold
The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
The same threshold applies to both virus outbreaks and non-virus threats, but you can specify different
quarantine retention times for virus attacks and other threats. See
quarantine retention times for virus attacks and other threats. See
more information.
Cisco recommends the default value of 3.
Containers: Specific and Always Rules
Container files are files, such as zipped (.zip) archives, that contain other files. The TOC can publish
rules that deal with specific files within archive files.
rules that deal with specific files within archive files.
For example, if a virus outbreak is identified by TOC to consist of a .zip file containing a .exe, a specific
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
How the Outbreak Filters Feature Works
Email messages pass through a series of steps, the “email pipeline,” when being processed by your
appliance (for more information about the email pipeline, see
appliance (for more information about the email pipeline, see
). As the messages proceed through the email pipeline, they are run through the anti-spam and
anti-virus scanning engines if those engines are enabled for that mail policy. In other words, known spam
or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they
will have already been removed from the mail stream — deleted, quarantined, etc. — based on your
anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore
been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked
as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on
updated spam rules and virus definitions.
or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they
will have already been removed from the mail stream — deleted, quarantined, etc. — based on your
anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore
been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked
as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on
updated spam rules and virus definitions.
Table 14-2
Fallback Rules and Threat Level Scores
Outbreak Rule
Threat Level
Description
.zip(exe)
4
This rule sets a threat level of 4 for .exe files within .zip files.
.zip(doc)
0
This rule sets a threat level of 0 for .doc files within .zip files.
zip(*)
2
This rule sets a threat level of 2 for all .zip files, regardless of
the types of files they contain.
the types of files they contain.