Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
10-10
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Messages are also released from the Outbreak quarantine after CASE’s recommended retention period
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
has elapsed. CASE calculates the retention period based on the message’s threat level. You can define
separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended
retention time exceeds the maximum retention time for the threat type, the Email Security appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum
quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can
manually release messages from the quarantine.
The Email Security appliance also releases messages when the quarantine is full and more messages are
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100%
capacity, and a new message is added to the quarantine. At this point, messages are released in the
following order of priority:
•
Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
•
Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)
Overflow stops the moment the Outbreak quarantine is below 100% capacity. For more information
about how quarantine overflow is handled, see the “Quarantines” chapter in the Cisco IronPort AsyncOS
for Email Daily Management Guide.
about how quarantine overflow is handled, see the “Quarantines” chapter in the Cisco IronPort AsyncOS
for Email Daily Management Guide.
Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Cisco IronPort Spam quarantine). For more information, see
again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be
subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or
Cisco IronPort Spam quarantine). For more information, see
Thus it is important to note that in a message's lifetime, it may actually be quarantined twice — once
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A
message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak
Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters
feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine
a message (for further processing) or move the message along to the next step in the pipeline.
Outbreak Lifecycle and Rules Publishing
Very early in a virus outbreak’s lifecycle, broader rules are used to quarantine messages. As more
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
Table 10-3
Example Rules for an Outbreak Lifecycle
Time
Rule Type
Rule Description
Action
T=0
Adaptive Rule
(based on past
outbreaks)
(based on past
outbreaks)
A consolidated rule set based
on over 100K message
attributes, which analyzes
message content, context and
structure
on over 100K message
attributes, which analyzes
message content, context and
structure
Messages are automatically quarantined
if they match Adaptive Rules
if they match Adaptive Rules
T=5 min Outbreak Rule
Quarantine messages
containing .zip (exe) files
containing .zip (exe) files
Quarantine all attachments that are .zips
containing a .exe
containing a .exe