Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
14-7
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
For more information about threat levels and outbreak rules, see
.
Guidelines for Setting Your Quarantine Threat Level Threshold
The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages;
conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely
high likelihood of being malicious.
The same threshold applies to both virus outbreaks and non-virus threats, but you can specify different
quarantine retention times for virus attacks and other threats. See
quarantine retention times for virus attacks and other threats. See
for
more information.
Cisco recommends the default value of 3.
Containers: Specific and Always Rules
Container files are files, such as zipped (.zip) archives, that contain other files. The TOC can publish
rules that deal with specific files within archive files.
rules that deal with specific files within archive files.
For example, if a virus outbreak is identified by TOC to consist of a .zip file containing a .exe, a specific
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not
set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule
(.zip(*)) covers all other file types within that container file type. An Always rule for a container will
always be used in a message's Threat Level calculation regardless of the types of files that are inside a
container. An always rule will be published by the SIO if all such container types are known to be
dangerous.
3
Medium
Either the message is part of a confirmed outbreak or there is a medium
to large risk of its content being a threat.
to large risk of its content being a threat.
4
High
Either the message is confirmed to be part of a large scale outbreak or
its content is very dangerous.
its content is very dangerous.
5
Extreme
The message’s content is confirmed to part of an outbreak that is either
extremely large scale or large scale and extremely dangerous.
extremely large scale or large scale and extremely dangerous.
Table 14-1
Threat Level Definitions (continued)
Level
Risk
Meaning
Table 14-2
Fallback Rules and Threat Level Scores
Outbreak Rule
Threat Level
Description
.zip(exe)
4
This rule sets a threat level of 4 for .exe files within .zip files.
.zip(doc)
0
This rule sets a threat level of 0 for .doc files within .zip files.
zip(*)
2
This rule sets a threat level of 2 for all .zip files, regardless of
the types of files they contain.
the types of files they contain.