Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
14-4
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
Based on the message’s threat level, CASE recommends a period of time to quarantine the message to
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based
on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message
while it is quarantined.
CASE also rescans messages when they’re released from the quarantine. A message can be quarantined
again if CASE determines that it is spam or contains a virus upon rescan.
again if CASE determines that it is spam or contains a virus upon rescan.
For more information about CASE, see
.
Delaying Messages
The period between when an outbreak or email attack occurs and when software vendors release updated
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
rules is when your network and your users are the most vulnerable. A modern virus can propagate
globally and a malicious website can deliver malware or collect your users’ sensitive information during
this period. Outbreak Filters protects your users and network by quarantining suspect messages for a
limited period of time, giving Cisco and other vendors time to investigate the new outbreak.
When a virus outbreak occurs, suspicious messages with attachments are quarantined until updated
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.
Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.
Small scale, non-viral threats contain URLs to malicious websites that may be online for a short period
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.
See
more information on how Outbreak Filters quarantine suspicious
messages.
Redirecting URLs
When CASE scans a message at the Outbreak Filters stage, it searches for URLs in the message body in
addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the
message is a threat and then scores the message with the appropriate threat level. Depending on the threat
level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the
Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of
the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak.
See
addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the
message is a threat and then scores the message with the appropriate threat level. Depending on the threat
level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the
Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of
the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak.
See
for more information on bypassing URLs for
trusted domains.
After the Email Security appliance releases and delivers the message, any attempt by the recipient to
access the website is redirected through the Cisco web security proxy. This is an external proxy hosted
by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the
website is still operational. If the website has been taken offline, the splash screen displays an error
message.
access the website is redirected through the Cisco web security proxy. This is an external proxy hosted
by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the
website is still operational. If the website has been taken offline, the splash screen displays an error
message.
If the recipient decides to click the message’s URLs, the Cisco web security proxy displays a splash
screen in the user’s web browser to warn the user about the content of the message.
screen in the user’s web browser to warn the user about the content of the message.
shows
an example of the splash screen warning. The recipient can either click Ignore this warning to continue
on to the website or Exit to leave and safely close the browser window.
on to the website or Exit to leave and safely close the browser window.