Cisco Cisco Email Security Appliance C160 Mode D'Emploi
10-4
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
•
SenderBase. The world’s largest threat monitoring network and vulnerability database.
•
Threat Operations Center (TOC). A global team of security analysts and automated systems that
extract actionable intelligence gathered by SenderBase.
extract actionable intelligence gathered by SenderBase.
•
Dynamic Update. Real-time updates automatically delivered to Cisco IronPort appliances as
outbreaks occur.
outbreaks occur.
SIO compares real-time data from the global SenderBase network to common traffic patterns to identify
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco IronPort Email Security appliances download updated threat levels and
Outbreak Rules and use them to scan incoming and outgoing messages, as well as messages already in
the Outbreak quarantine.
anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of
the possible outbreak. Cisco IronPort Email Security appliances download updated threat levels and
Outbreak Rules and use them to scan incoming and outgoing messages, as well as messages already in
the Outbreak quarantine.
Information about current virus outbreaks can be found on SenderBase’s website here:
http://www.senderbase.org/
The SIO website provides a list of current non-viral threats, including spam, phishing, and malware
distribution attempts:
distribution attempts:
http://tools.cisco.com/security/center/home.x
Context Adaptive Scanning Engine
Outbreak Filters are powered by Cisco IronPort’s unique Context Adaptive Scanning Engine (CASE).
CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis,
based on real-time analysis of messaging threats.
CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis,
based on real-time analysis of messaging threats.
For virus outbreaks, CASE analyzes the message content, context and structure to accurately determine
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules
published by SIO to evaluate every message and assign a unique threat level.
To detect non-viral threats, CASE scans messages for URLs and uses Outbreak Rules from SIO to
evaluate a message’s threat level if one or more URLs are found.
evaluate a message’s threat level if one or more URLs are found.
Based on the message’s threat level, CASE recommends a period of time to quarantine the message to
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
CASE also rescans messages when they’re released from the quarantine. A message can be quarantined
again if CASE determines that it is spam or contains a virus upon rescan.
again if CASE determines that it is spam or contains a virus upon rescan.
For more information about CASE, see
Delaying Messages
The period between when an outbreak or email attack occurs and when software vendors release updated
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
When a virus outbreak occurs, suspicious messages with attachments are quarantined until updated
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.