Cisco Cisco Email Security Appliance C160 Mode D'Emploi
10-2
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
The process of outbreak detection and filtering begins with SenderBase, part of SIO. SenderBase is the
world’s largest email and web traffic monitoring system and has a view into approximately 25% of the
world’s email traffic. Cisco IronPort uses historical SenderBase data to create a statistical view of normal
global traffic patterns. Outbreak Filters depends on the set of rules developed from this data to determine
the threat levels of incoming messages.
world’s largest email and web traffic monitoring system and has a view into approximately 25% of the
world’s email traffic. Cisco IronPort uses historical SenderBase data to create a statistical view of normal
global traffic patterns. Outbreak Filters depends on the set of rules developed from this data to determine
the threat levels of incoming messages.
Outbreak Filters has significant enhancements in features and usability. At a high level the enhancements
include, but are not limited to:
include, but are not limited to:
•
The increased threat types detected by Cisco Security Intelligence Operations (SIO) and used to
create Outbreak Rules to detect non-viral attacks, such as phishing scams and malware distribution,
in addition to virus outbreaks.
create Outbreak Rules to detect non-viral attacks, such as phishing scams and malware distribution,
in addition to virus outbreaks.
•
CASE (Context Adaptive Scanning Engine) scanning that scans for URLs to detect non-viral threats,
in addition to combining content analysis from Adaptive Rules and Outbreak Rules from SIO to
detect outbreaks.
in addition to combining content analysis from Adaptive Rules and Outbreak Rules from SIO to
detect outbreaks.
•
Dynamic Quarantine, which re-evaluates messages periodically and auto-releases them from the
quarantine based on Outbreak Rule updates.
quarantine based on Outbreak Rule updates.
•
URL rewriting to redirect traffic to potentially harmful websites through the Cisco web security
proxy, which either warns users that the website they are attempting to access may be malicious or
blocks the website completely.
proxy, which either warns users that the website they are attempting to access may be malicious or
blocks the website completely.
These feature enhancements are designed to increase the system’s capture rate for outbreaks, provide
enhanced visibility into an outbreak, and protect your users’ computers and sensitive information.
enhanced visibility into an outbreak, and protect your users’ computers and sensitive information.
Your Cisco IronPort appliance ships with a 30-day evaluation license for the Outbreak Filters feature.
Threat Categories
The Outbreak Filters feature provides protection from two categories of message-based outbreaks: virus
outbreaks, which are messages with never-before-seen viruses in their attachments, and non-viral
threats, which includes phishing attempts, scams, and malware distribution through links to an external
website.
outbreaks, which are messages with never-before-seen viruses in their attachments, and non-viral
threats, which includes phishing attempts, scams, and malware distribution through links to an external
website.
By default, the Outbreak Filters feature scans your incoming and outgoing messages for possible viruses
during an outbreak. You can enable scanning for non-viral threats in addition to virus outbreaks if you
enable anti-spam scanning on the appliance.
during an outbreak. You can enable scanning for non-viral threats in addition to virus outbreaks if you
enable anti-spam scanning on the appliance.
Note
Your appliance needs a feature key for Cisco IronPort Anti-Spam or Cisco IronPort Intelligent
Multi-Scan in order for Outbreak Filters to scan for non-viral threats.
Multi-Scan in order for Outbreak Filters to scan for non-viral threats.
Virus Outbreaks
The Outbreak Filters feature provides you with a head start when battling virus outbreaks. An outbreak
occurs when messages with attachments containing never-before-seen viruses or variants of existing
viruses spread quickly through private networks and the Internet. As these new viruses or variants hit the
Internet, the most critical period is the window of time between when the virus is released and when the
anti-virus vendors release an updated virus definition. Having advanced notice — even a few hours —
is vital to curbing the spread of the malware or virus. During that vulnerability window, the newly-found
virus can propagate globally, bringing email infrastructure to a halt.
occurs when messages with attachments containing never-before-seen viruses or variants of existing
viruses spread quickly through private networks and the Internet. As these new viruses or variants hit the
Internet, the most critical period is the window of time between when the virus is released and when the
anti-virus vendors release an updated virus definition. Having advanced notice — even a few hours —
is vital to curbing the spread of the malware or virus. During that vulnerability window, the newly-found
virus can propagate globally, bringing email infrastructure to a halt.