Cisco Cisco Email Security Appliance C160 Mode D'Emploi

Email messages pass through a series of steps, the “email pipeline,” when being processed by your 
appliance (for more information about the email pipeline, see 

). As the messages proceed through the email pipeline, they are run through the anti-spam and 

anti-virus scanning engines if those engines are enabled for that mail policy. In other words, known spam 
or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they 
will have already been removed from the mail stream — deleted, quarantined, etc. — based on your 
anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore 
been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked 
as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on 
updated spam rules and virus definitions.

Messages that skip anti-spam and anti-virus scanning due to filters or the engines being disabled will 
still be scanned by Outbreak Filters.

When a new virus attack or non-viral threat is released into the wild, no anti-virus or anti-spam software 
is able to recongnize the threat yet, so this is where the Outbreak Filters feature can be invaluable. 
Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules 
(see 

). The message score corresponds with the 

message’s threat level. Based on which, if any, rules the message matches, CASE assigns the 
corresponding threat level. If there is no associated threat level (the message does not match any rules), 
then the message is assigned a threat level of 0.

Once that calculation has been completed, the Email Security appliance checks whether the threat level 
of that message meets or exceeds your quarantine or message modification threshold value and 
quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed 
along for further processing in the pipeline.

Additionally, CASE reevaluates existing quarantined messages against the latest rules to determine the 
latest threat level of a message. This ensures that only messages that have a threat level consistent with 
an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the 
quarantine after an automatic reevaluation.

In the case of multiple scores for an outbreak message — one score from an Adaptive Rule (or the highest 
score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score 
if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.

It is possible to use the Outbreak Filters feature without having enabled anti-virus scanning on the 
appliance. The two security services are designed to complement each other, but will also work 
separately. That said, if you do not enable anti-virus scanning on your appliance, you will need to 

.zip(doc)

0

This rule sets a threat level of 0 for .doc files within .zip files.

zip(*)

2

This rule sets a threat level of 2 for all .zip files, regardless of 
the types of files they contain.