Cisco Cisco Email Security Appliance C160 Mode D'Emploi
15-4
Cisco AsyncOS 9.5 for Email User Guide
Chapter 15 Outbreak Filters
How Outbreak Filters Work
SIO compares real-time data from the global SenderBase network to common traffic patterns to identify
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco Email Security appliances download updated threat levels and Outbreak
Rules and use them to scan incoming and outgoing messages, as well as messages already in the
Outbreak quarantine.
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco Email Security appliances download updated threat levels and Outbreak
Rules and use them to scan incoming and outgoing messages, as well as messages already in the
Outbreak quarantine.
Information about current virus outbreaks can be found on SenderBase’s website here:
http://www.senderbase.org/
The SIO website provides a list of current non-viral threats, including spam, phishing, and malware
distribution attempts:
distribution attempts:
http://tools.cisco.com/security/center/home.x
Context Adaptive Scanning Engine
Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE
leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on
real-time analysis of messaging threats.
leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on
real-time analysis of messaging threats.
For virus outbreaks, CASE analyzes the message content, context and structure to accurately determine
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
To detect non-viral threats, CASE scans messages for URLs and uses Outbreak Rules from SIO to
evaluate a message’s threat level if one or more URLs are found.
evaluate a message’s threat level if one or more URLs are found.
Based on the message’s threat level, CASE recommends a period of time to quarantine the message to
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
CASE also rescans messages when they’re released from the quarantine. A message can be quarantined
again if CASE determines that it is spam or contains a virus upon rescan.
again if CASE determines that it is spam or contains a virus upon rescan.
For more information about CASE, see
.
Delaying Messages
The period between when an outbreak or email attack occurs and when software vendors release updated
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
When a virus outbreak occurs, suspicious messages with attachments are quarantined until updated
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.
Small scale, non-viral threats contain URLs to malicious websites that may be online for a short period
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.