Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-81
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Attachment Scanning
Image Analysis
Some messages contain images that you may wish to scan for inappropriate content. You can use the
image analysis engine to search for inappropriate content in email. Image analysis is not designed to
supplement or replace your anti-virus and anti-spam scanning engines. Its purpose is to enforce
acceptable use by identifying inappropriate content in email. Use the image analysis scanning engine to
quarantine and analyze mail and to detect trends.
image analysis engine to search for inappropriate content in email. Image analysis is not designed to
supplement or replace your anti-virus and anti-spam scanning engines. Its purpose is to enforce
acceptable use by identifying inappropriate content in email. Use the image analysis scanning engine to
quarantine and analyze mail and to detect trends.
After you configure your appliance for image analysis, you can use image analysis filter rules to perform
actions on suspect or inappropriate emails. Image scanning allows you to scan the following types of
attached files: BMP, JPG, TIF, PNG, GIF, TGA, and PCX. The image analyzer uses algorithms that
measure skin color, body size and curvature to determine the probability that the graphic contains
inappropriate content. When you scan image attachments, Cisco fingerprinting determines the file type,
and the image analyzer uses algorithms to analyze the image content. If the image is embedded in
another file, the Content Scanner extracts the file. The image analysis verdict is computed on the
message as a whole. If the message does not include any images, the message receives a score of “0”
which maps to a “clean” verdict. Therefore, a message without any images will receive a "clean" verdict.
actions on suspect or inappropriate emails. Image scanning allows you to scan the following types of
attached files: BMP, JPG, TIF, PNG, GIF, TGA, and PCX. The image analyzer uses algorithms that
measure skin color, body size and curvature to determine the probability that the graphic contains
inappropriate content. When you scan image attachments, Cisco fingerprinting determines the file type,
and the image analyzer uses algorithms to analyze the image content. If the image is embedded in
another file, the Content Scanner extracts the file. The image analysis verdict is computed on the
message as a whole. If the message does not include any images, the message receives a score of “0”
which maps to a “clean” verdict. Therefore, a message without any images will receive a "clean" verdict.
Configuring the Image Analysis Scanning Engine
To enable image analysis from the GUI:
Procedure
Step 1
Go to Security Services > IronPort Image Analysis.
Step 2
Click Enable.
A success message displays, and the verdict settings display.
Drop Attachments
by Size
by Size
drop-attachments-by-size
(<number>[, <optional
comment
>])
Drops all attachments on the message that, in
raw encoded form, are equal to or greater than
the size (in bytes) given. Note that for archive
or compressed files, this action does not
examine the uncompressed size, but rather the
size of the actual attachment itself.
raw encoded form, are equal to or greater than
the size (in bytes) given. Note that for archive
or compressed files, this action does not
examine the uncompressed size, but rather the
size of the actual attachment itself.
Attachment
Scanning
Scanning
drop-attachments-where-contai
ns (<regular expression>[,
<optional comment>])
Drops all attachments on message that contain
the regular expression. Archive files (zip, tar)
will be dropped if any of the files they contain
match the regular expression pattern.
the regular expression. Archive files (zip, tar)
will be dropped if any of the files they contain
match the regular expression pattern.
Drop Attachments
by Dictionary
Matches
by Dictionary
Matches
drop-attachments-where-dictio
nary-match(<dictionary name>)
This filter action strips attachments based on
matches to dictionary terms. If the terms in the
MIME parts considered to be an attachment
match a dictionary term (and the user-defined
threshold is met), the attachment is stripped
from the email. See
matches to dictionary terms. If the terms in the
MIME parts considered to be an attachment
match a dictionary term (and the user-defined
threshold is met), the attachment is stripped
from the email. See
.
Table 9-8
Message Filter Actions for Attachment Filtering (continued)
Action
Syntax Description