Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
14-6
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
are published as Outbreak Rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
•
File Type, File Type & Size, File Type & File Name Keyword, etc.
•
File Name Keyword & File Size
•
File Name Keyword
•
Message URL
•
File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive Cisco virus corpus. Adaptive Rules are updated often as
the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all
times. While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once
enabled) are “always on,” catching outbreak messages locally before the full anomaly has formed on a
global basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email
traffic and structure, providing updated protection to customers.
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive Cisco virus corpus. Adaptive Rules are updated often as
the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all
times. While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once
enabled) are “always on,” catching outbreak messages locally before the full anomaly has formed on a
global basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email
traffic and structure, providing updated protection to customers.
Outbreaks
A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your Cisco appliance checks for and downloads newly published Outbreak and
Adaptive Rules every 5 minutes by default (see
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your Cisco appliance checks for and downloads newly published Outbreak and
Adaptive Rules every 5 minutes by default (see
). Adaptive
Rules are updated less frequently than Outbreak Rules. On the Cisco appliance, you set a threshold for
quarantining suspicous messages. If the Threat Level for a message equals or exceeds the quarantine
threshold, the message is sent to the Outbreak quarantine area. You can also set up a threshold for
modifying non-viral threat messages to rewrite any URLs found in suspicious messages or add a
notification at the top of message body.
quarantining suspicous messages. If the Threat Level for a message equals or exceeds the quarantine
threshold, the message is sent to the Outbreak quarantine area. You can also set up a threshold for
modifying non-viral threat messages to rewrite any URLs found in suspicious messages or add a
notification at the top of message body.
Threat Levels
Table 14-1
Threat Level Definitions
Level
Risk
Meaning
0
None
There is no risk that the message is a threat.
1
Low
The risk that the message is a threat is low.
2
Low/Medium
The risk that the message is a threat is low to medium. It is a
“suspected” threat.
“suspected” threat.