Cisco Cisco Email Security Appliance C160 Mode D'Emploi

The same threshold applies to both virus outbreaks and non-virus threats, but you can specify different 
quarantine retention times for virus attacks and other threats. See 

 for 

more information.

Cisco recommends the default value of 3.

Container files are files, such as zipped (.zip) archives, that contain other files. The TOC can publish 
rules that deal with specific files within archive files.

For example, if a virus outbreak is identified by TOC to consist of a .zip file containing a .exe, a specific 
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not 
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule 
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will 
always be used in a message's Threat Level calculation regardless of the types of files that are inside a 
container. An always rule will be published by the SIO if all such container types are known to be 
dangerous.

Email messages pass through a series of steps, the “email pipeline,” when being processed by your Cisco 
IronPort appliance (for more information about the email pipeline, see 

). As the messages proceed through the email pipeline, they are run through the 

anti-spam and anti-virus scanning engines if they are enabled for that mail policy. Only messages that 
pass through those scans are scanned by the Outbreak Filters feature (see 

 for more information about how the email pipeline can affect which 

messages are scanned by the Outbreak Filters feature). In other words, known spam or messages 
containing recognized viruses are not scanned by the Outbreak Filters feature because they will have 
already been removed from the mail stream — deleted, quarantined, etc. — based on your anti-spam and 
anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore been marked 
spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked as spam or 
containing a virus when it is released from the quarantine and rescanned by CASE, based on updated 
spam rules and virus definitions.

When a new virus attack or non-viral threat is released into the wild, no anti-virus or anti-spam software 
is able to recongnize the threat yet, so this is where the Outbreak Filters feature can be invaluable. 
Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules 
(see 

). The message score corresponds with the 

.zip(exe)

4

This rule sets a threat level of 4 for .exe files within .zip files.

.zip(doc)

0

This rule sets a threat level of 0 for .doc files within .zip files.

zip(*)

2

This rule sets a threat level of 2 for all .zip files, regardless of 
the types of files they contain.