Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
14-9
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 14 Outbreak Filters
How the Outbreak Filters Feature Works
monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in the
Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the
following in mind:
•
You should disable Adaptive Rules
•
Messages will get quarantined by Outbreak Rules
•
Messages will get released if the threat level is lowered or time expires
Downstream anti-virus vendors (desktops/groupware) may catch the message on release.
Note
Anti-spam scanning needs to be enabled globally on an appliance in order for the Outbreak Filters
feature to scan for non-viral threats.
feature to scan for non-viral threats.
Dynamic Quarantine
The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages
until they’re confirmed to be threats or it’s safe to deliver to users. (See
until they’re confirmed to be threats or it’s safe to deliver to users. (See
for more information.) Quarantined messages can be released from the Outbreak
quarantine in several ways. As new rules are downloaded, messages in the Outbreak quarantine are
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of
a message falls under the quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the
quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.
Please note that messages quarantined as virus attacks are not automatically released from the outbreak
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.
quarantine when new anti-virus signatures are available. New rules may or may not reference new
anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless
an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level
Threshold.
Messages are also released from the Outbreak quarantine after CASE’s recommended retention period
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
The Email Security appliance also releases messages when the quarantine is full and more messages are
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
•
Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
•
Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)
Overflow releases stop the moment the Outbreak quarantine is below 100% capacity. For more
information about how quarantine overflow is handled, see
information about how quarantine overflow is handled, see
and