Cisco Cisco Email Security Appliance C160 Mode D'Emploi
Chapter 10 Virus Outbreak Filters
10-344
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
Note
If you click Clear Current Rules in the GUI or use
vofflush
from the CLI for
the same effect, you are basically disabling Outbreak Rules until the next time that
your IronPort appliance is able to download a new set of scores from SenderBase.
Adaptive Rules are not cleared.
your IronPort appliance is able to download a new set of scores from SenderBase.
Adaptive Rules are not cleared.
Updating Virus Outbreak Filter Rules
By default, your IronPort appliance will attempt to download new outbreak rules
every 5 minutes. You can change this interval via the Security Services > Service
Updates page. For more information, see
every 5 minutes. You can change this interval via the Security Services > Service
Updates page. For more information, see
.
Containers: Specific and Always Rules
Container files are files, such as zipped (.zip) archives, that contain other files.
The TOC can publish rules that deal with specific files within archive files.
The TOC can publish rules that deal with specific files within archive files.
For example, if a virus outbreak is identified by the IronPort TOC to consist of a
.zip file containing a .exe, a specific Outbreak Rule is published that sets a threat
level for .exe files within .zip files (.zip(exe)), but does not set a specific threat
level for any other file type contained within .zip files (e.g. .txt files). A second
rule (.zip(*)) covers all other file types within that container file type. An Always
rule for a container will always be used in a message's VTL calculation regardless
of the types of files that are inside a container. An always rule will be published
by the TOC if all such container types are known to be dangerous.
.zip file containing a .exe, a specific Outbreak Rule is published that sets a threat
level for .exe files within .zip files (.zip(exe)), but does not set a specific threat
level for any other file type contained within .zip files (e.g. .txt files). A second
rule (.zip(*)) covers all other file types within that container file type. An Always
rule for a container will always be used in a message's VTL calculation regardless
of the types of files that are inside a container. An always rule will be published
by the TOC if all such container types are known to be dangerous.
In this example, a .foo file within a .zip file will assume the threat level of 2.
Table 10-3
Fallback Rules and Threat Level Scores
Outbreak Rule
Threat Level
Description
.zip(exe)
4
This rule sets a threat level of 4 for .exe files
within .zip files.
within .zip files.
.zip(doc)
0
This rule sets a threat level of 0 for .doc files
within .zip files.
within .zip files.
zip(*)
2
This rule sets a threat level of 3 for all .zip files,
regardless of the types of files they contain.
regardless of the types of files they contain.