Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
Chapter 10 Outbreak Filters
10-10
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message
attributes to attributes of known virus outbreak messages. These rules have been
created after studying known threat messages and known good messages within
an extensive Cisco IronPort virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak
messages at all times. While Outbreak Rules take effect when a possible outbreak
is occurring, Adaptive Rules (once enabled) are “always on,” catching outbreak
messages locally before the full anomaly has formed on a global basis.
Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
attributes to attributes of known virus outbreak messages. These rules have been
created after studying known threat messages and known good messages within
an extensive Cisco IronPort virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak
messages at all times. While Outbreak Rules take effect when a possible outbreak
is occurring, Adaptive Rules (once enabled) are “always on,” catching outbreak
messages locally before the full anomaly has formed on a global basis.
Additionally, Adaptive Rules continuously respond to small and subtle changes in
email traffic and structure, providing updated protection to customers.
Outbreaks
A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of
characteristics for an email message and attachment — things such as file size,
file type, file name, message content, and so on. For example, assume the Cisco
IronPort SIO notices an increase in the occurrences of a suspicious email message
carrying a .exe attachment that is 143 kilobytes in size, and whose file name
includes a specific keyword (“hello” for example). An Outbreak Rule is published
increasing the Threat Level for messages matching this criteria. Your Cisco
IronPort appliance checks for and downloads newly published Outbreak and
Adaptive Rules every 5 minutes by default (see
characteristics for an email message and attachment — things such as file size,
file type, file name, message content, and so on. For example, assume the Cisco
IronPort SIO notices an increase in the occurrences of a suspicious email message
carrying a .exe attachment that is 143 kilobytes in size, and whose file name
includes a specific keyword (“hello” for example). An Outbreak Rule is published
increasing the Threat Level for messages matching this criteria. Your Cisco
IronPort appliance checks for and downloads newly published Outbreak and
Adaptive Rules every 5 minutes by default (see
). Adaptive Rules are updated less frequently than Outbreak Rules. On
the Cisco IronPort appliance, you set a threshold for quarantining suspicous
messages. If the Threat Level for a message equals or exceeds the quarantine
threshold, the message is sent to the Outbreak quarantine area. You can also set
up a threshold for modifying non-viral threat messages to rewrite any URLs found
in suspicious messages or add a notification at the top of message body.
messages. If the Threat Level for a message equals or exceeds the quarantine
threshold, the message is sent to the Outbreak quarantine area. You can also set
up a threshold for modifying non-viral threat messages to rewrite any URLs found
in suspicious messages or add a notification at the top of message body.