Cisco Cisco Email Security Appliance C170 Mode D'Emploi
10-6
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Modifying Messages
The Outbreak Filters feature modifies the message body of a non-viral threat message not only to rewrite
the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can
modify the subject header and add a disclaimer about the message’s content above the message body.
See
the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can
modify the subject header and add a disclaimer about the message’s content above the message body.
See
for more information.
The threat disclaimer is created using the Disclaimer template through the Mail Policies > Text
Resources page. See
Resources page. See
for more information.
Types of Rules: Adaptive and Outbreak
Two types of rules are used by Outbreak Filters to detect potential outbreaks: Adaptive and Outbreak.
The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused
set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes,
providing instant access to quarantined messages and the reason why they were quarantined.
The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused
set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The
Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes,
providing instant access to quarantined messages and the reason why they were quarantined.
Outbreak Rules
Outbreak Rules are generated by the Cisco IronPort Threat Operations Center (TOC), which is a part of
the Cisco Security Intelligence Operations, and focus on the message as a whole, rather than just
attachment filetypes. Outbreak Rules use SenderBase data (real time and historical traffic data) and any
combination of message parameters such as attachment file type, file name keywords, or anti-virus
engine update to recognize and prevent outbreaks in real time. Outbreak Rules are given a unique ID
used to refer to the rule in various places in the GUI (such as the Outbreak quarantine).
the Cisco Security Intelligence Operations, and focus on the message as a whole, rather than just
attachment filetypes. Outbreak Rules use SenderBase data (real time and historical traffic data) and any
combination of message parameters such as attachment file type, file name keywords, or anti-virus
engine update to recognize and prevent outbreaks in real time. Outbreak Rules are given a unique ID
used to refer to the rule in various places in the GUI (such as the Outbreak quarantine).
Real-time data from the global SenderBase network is then compared to this baseline, identifying
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco IronPort customers (for more information, see
anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat
indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely
risky), and measures the likelihood that a message is a threat for which no other gateway defense is
widely deployed by Cisco IronPort customers (for more information, see
).
Threat Levels are published as Outbreak Rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive Cisco IronPort virus corpus. Adaptive Rules are updated
often as the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages
at all times. While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive Cisco IronPort virus corpus. Adaptive Rules are updated
often as the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages
at all times. While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules