Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
15-7
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 15 Outbreak Filters
How Outbreak Filters Work
•
File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.
While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled)
are “always on,” catching outbreak messages locally before the full anomaly has formed on a global
basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic
and structure, providing updated protection to customers.
of known virus outbreak messages. These rules have been created after studying known threat messages
and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the
corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.
While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled)
are “always on,” catching outbreak messages locally before the full anomaly has formed on a global
basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic
and structure, providing updated protection to customers.
Outbreaks
A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive
Rules every 5 minutes by default (see
email message and attachment — things such as file size, file type, file name, message content, and so
on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email
message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific
keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages
matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive
Rules every 5 minutes by default (see
). Adaptive Rules are
updated less frequently than Outbreak Rules. On the appliance, you set a threshold for quarantining
suspicious messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the
message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral
threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of
message body.
suspicious messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the
message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral
threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of
message body.
Threat Levels
provides a basic set of guidelines or definitions for each of the various levels.
For more information about threat levels and outbreak rules, see
.
Table 15-1
Threat Level Definitions
Level
Risk
Meaning
0
None
There is no risk that the message is a threat.
1
Low
The risk that the message is a threat is low.
2
Low/Medium
The risk that the message is a threat is low to medium. It is a
“suspected” threat.
“suspected” threat.
3
Medium
Either the message is part of a confirmed outbreak or there is a medium
to large risk of its content being a threat.
to large risk of its content being a threat.
4
High
Either the message is confirmed to be part of a large scale outbreak or
its content is very dangerous.
its content is very dangerous.
5
Extreme
The message’s content is confirmed to part of an outbreak that is either
extremely large scale or large scale and extremely dangerous.
extremely large scale or large scale and extremely dangerous.