Cisco Cisco Email Security Appliance C160 Mode D'Emploi
15-19
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 15 Outbreak Filters
Managing Outbreak Filters
Alternate Destination Mail Host
If you want to perform a content filter-based scan on the Outbreak Filter processed messages, you must
configure the Outbreak Filter to send the processed messages back to an Email Security Appliance. This
is because, in the processing pipeline, the Outbreak Filter scan is performed after the content filter scan.
configure the Outbreak Filter to send the processed messages back to an Email Security Appliance. This
is because, in the processing pipeline, the Outbreak Filter scan is performed after the content filter scan.
In the Alternate Destination Mail Host field, enter the IP address (IPv4 or IPv6) or the FQDN of the
appliance where you want to send the processed messages for further scans.
appliance where you want to send the processed messages for further scans.
URL Rewriting and Bypassing Domains
If the message’s threat level exceeds the message modification threshold, the Outbreak Filters feature
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
for more information.) If the message’s
threat level exceeds the quarantine threshold, the appliance also quarantines the message. If a small
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
AsyncOS rewrites all of the URLs inside a message except for the ones pointing to bypassed domains.
The following options are available for URL rewriting:
•
Enable only for unsigned messages. This option allows AsyncOS to rewrite URLs in unsigned
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.
Note
The Email Security appliance may rewrite URLs in a DomainKeys/DKIM-signed message and
invalidate the message’s signature if a server or appliance on your network other than the Email
Security appliance is responsible for verifying the DomainKeys/DKIM signature.
invalidate the message’s signature if a server or appliance on your network other than the Email
Security appliance is responsible for verifying the DomainKeys/DKIM signature.
•
Enable for all messages. This option allows AsyncOS to rewrite URLs in all messages that meet or
exceed the message modification threshold, including signed ones. If AsyncOS modifies a signed
message, the signature becomes invalid.
exceed the message modification threshold, including signed ones. If AsyncOS modifies a signed
message, the signature becomes invalid.
•
Disable. This option disables URL rewriting for Outbreak Filters.
You can modify a policy to exclude URLs to certain domains from modification. To bypass domains,
enter the IPv4 address, IPv6 address, CIDR range, hostname, partial hostname or domain in the Bypass
Domain Scanning field. Separate multiple entries using commas.
enter the IPv4 address, IPv6 address, CIDR range, hostname, partial hostname or domain in the Bypass
Domain Scanning field. Separate multiple entries using commas.
The Bypass Domain Scanning feature is similar to, but independent of, the global whitelist used by URL
filtering. For more information about that whitelist, see
filtering. For more information about that whitelist, see
.
Threat Disclaimer
The Email Security appliance can append a disclaimer message above the heading of a suspicious
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.
Select the disclaimer text you want to use from the Threat Disclaimer list or click the Mail Policies >
Text Resources link to create a new disclaimer using the Disclaimer Template. The Disclaimer Template
includes variables for outbreak threat information. You can see a preview of the threat disclaimer by
Text Resources link to create a new disclaimer using the Disclaimer Template. The Disclaimer Template
includes variables for outbreak threat information. You can see a preview of the threat disclaimer by