Cisco Cisco Email Security Appliance C160 Mode D'Emploi
10-331
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
Chapter 10 Virus Outbreak Filters
Types of Rules: Adaptive and Outbreak.
Prior to version 4.5, Virus outbreak rules were based solely on file attachment
types and as such only one rule type (tied to attachment file type) was used.
Beginning with AsyncOS version 4.5, two types of rules are used by Virus
Outbreak Filters: Adaptive and Outbreak.
types and as such only one rule type (tied to attachment file type) was used.
Beginning with AsyncOS version 4.5, two types of rules are used by Virus
Outbreak Filters: Adaptive and Outbreak.
Outbreak Rules
Outbreak rules are generated by the IronPort Threat Operations Center (TOC),
and focus on the message as a whole, rather than just attachment filetypes.
Outbreak rules use SenderBase data (real time and historical traffic data) and any
combination of message parameters such as attachment file type, file name
keywords, or anti-virus engine update to recognize and prevent virus outbreaks in
real time. Outbreak Rules are given a unique ID used to refer to the rule in various
places in the GUI (such as the Outbreak quarantine).
and focus on the message as a whole, rather than just attachment filetypes.
Outbreak rules use SenderBase data (real time and historical traffic data) and any
combination of message parameters such as attachment file type, file name
keywords, or anti-virus engine update to recognize and prevent virus outbreaks in
real time. Outbreak Rules are given a unique ID used to refer to the rule in various
places in the GUI (such as the Outbreak quarantine).
Real-time data from the global SenderBase network is then compared to this
baseline, identifying anomalies that are proven predictors of an outbreak. The
IronPort Threat Operations Center (TOC) reviews the data and issues a threat
indicator or Virus Threat Level (VTL). The VTL is a numeric value between 0 (no
threat) and 5 (extremely risky), and measures the likelihood that a message
contains a virus for which no other gateway defense is widely deployed by
IronPort customers (for more information, see
baseline, identifying anomalies that are proven predictors of an outbreak. The
IronPort Threat Operations Center (TOC) reviews the data and issues a threat
indicator or Virus Threat Level (VTL). The VTL is a numeric value between 0 (no
threat) and 5 (extremely risky), and measures the likelihood that a message
contains a virus for which no other gateway defense is widely deployed by
IronPort customers (for more information, see
). VTL are published as outbreak rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message
attributes to attributes of known viral and outbreak messages. These rules have
been created after studying known viral messages and known good messages
attributes to attributes of known viral and outbreak messages. These rules have
been created after studying known viral messages and known good messages