Cisco Cisco Email Security Appliance C160 Mode D'Emploi

Evaluation of file reputation and sending of files for analysis occur immediately after anti-virus 
scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on 
the message. 

Communications between the appliance and the file reputation service are encrypted and protected from 
tampering. 

After a file’s reputation is evaluated: 

If the file is known to the file reputation service and is determined to be clean, the message continues 
through the workqueue. 

If the file reputation service returns a verdict of malicious for any attachment in the message, then 
the appliance applies the action that you have specified in the applicable mail policy. 

If the file is known to the reputation service but there is insufficient information for a definitive 
verdict, the reputation service returns a reputation score based on characteristics of the file such as 
threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation 
threshold (you should not change the default threshold), the appliance applies the action that you 
have configured in the mail policy for files that contain malware. 

If the reputation service has no information about the file, and the file does not meet the criteria for 
analysis, the file is considered clean and the message continues through the workqueue. 

If the reputation service has no information about the file, and the file meets the criteria for files that 
can be analyzed (see 

), then the file is 

considered clean and is optionally sent for analysis.  You can configure the appliance to quarantine 
files sent for analysis instead of releasing them immediately to the workqueue. 

If file reputation information is unavailable, for example because the connection with the cloud 
service timed out, the appliance applies the action that you have specified for unscannable 
attachments in the applicable mail policy.