Cisco Cisco Email Security Appliance C160 Mode D'Emploi
14-18
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 14 Outbreak Filters
Managing Outbreak Filters (GUI)
Threat Disclaimer
The Email Security appliance can append a disclaimer message above the heading of a suspicious
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.
Select the disclaimer text you want to use from the Threat Disclaimer list or click the Mail Policies >
Text Resources link to create a new disclaimer using the Disclaimer Template. The Disclaimer Template
includes variables for outbreak threat information. You can see a preview of the threat disclaimer by
clicking Preview Disclaimer. For custom disclaimer messages, you can use variables to display the threat
level, the type of threat, and a description of the threat in the message. For information on creating a
disclaimer message, see
Text Resources link to create a new disclaimer using the Disclaimer Template. The Disclaimer Template
includes variables for outbreak threat information. You can see a preview of the threat disclaimer by
clicking Preview Disclaimer. For custom disclaimer messages, you can use variables to display the threat
level, the type of threat, and a description of the threat in the message. For information on creating a
disclaimer message, see
The Outbreak Filters Feature and the Outbreak Quarantine
Messages quarantined by the Outbreak Filters feature are sent to the Outbreak quarantine. This
quarantine functions like any other quarantine (for more information about working with quarantines,
see
quarantine functions like any other quarantine (for more information about working with quarantines,
see
) except that it has a “summary” view, useful
for deleting or releasing all messages from the quarantine, based on the rule used to place the message
in the quarantine (for Outbreak Rules, the Outbreak ID is shown, and for Adaptive Rules, a generic term
is shown). For more information about the summary view, see
in the quarantine (for Outbreak Rules, the Outbreak ID is shown, and for Adaptive Rules, a generic term
is shown). For more information about the summary view, see
.
Monitoring the Outbreak Quarantine
Though a properly configured quarantine requires little if any monitoring, it is a good idea to keep an
eye on the Outbreak Quarantine, especially during and after virus outbreaks when legitimate messages
may be delayed.
eye on the Outbreak Quarantine, especially during and after virus outbreaks when legitimate messages
may be delayed.
If a legitimate message is quarantined, one of the following occurs depending on the settings for the
Outbreak quarantine:
Outbreak quarantine:
•
If the quarantine’s Default Action is set to Release, the message will be released when the retention
time period expires or when the quarantine overflows. You can configure the Outbreak quarantine
so that the following actions are performed on messages before they are released due to overflow:
strip attachments, modify the subject, and add an X-Header. For more information about these
actions, see
time period expires or when the quarantine overflows. You can configure the Outbreak quarantine
so that the following actions are performed on messages before they are released due to overflow:
strip attachments, modify the subject, and add an X-Header. For more information about these
actions, see
.
•
If the quarantine’s Default Action is set to Delete, the message will be deleted when the retention
time period expires, or when the quarantine overflows.
time period expires, or when the quarantine overflows.
•
Overflow occurs when the quarantine is full and more messages are added. In this case the messages
closest to their expiration date (not necessarily the oldest messages) are released first, until enough
room is available for the new messages. You can configure the Outbreak quarantine so that the
following actions are performed on messages before they are released due to overflow: strip
attachments, modify the subject, add an X-Header.
closest to their expiration date (not necessarily the oldest messages) are released first, until enough
room is available for the new messages. You can configure the Outbreak quarantine so that the
following actions are performed on messages before they are released due to overflow: strip
attachments, modify the subject, add an X-Header.
Because quarantined messages are rescanned whenever new rules are published, it is very likely that
messages in the Outbreak quarantine will be released prior to the expiration time.
messages in the Outbreak quarantine will be released prior to the expiration time.
Still, it can be important to monitor the Outbreak quarantine if the Default Action is set to Delete. Cisco
recommends most users to not set the default action to Delete. For more information about releasing
messages from the Outbreak quarantine, or changing the Default Action for the Outbreak Quarantine,
see
recommends most users to not set the default action to Delete. For more information about releasing
messages from the Outbreak quarantine, or changing the Default Action for the Outbreak Quarantine,
see