Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
14-3
Cisco AsyncOS 9.1 for Email User Guide
Chapter 14 Outbreak Filters
How Outbreak Filters Work
Related Topics
•
•
Virus Outbreaks
The Outbreak Filters feature provides you with a head start when battling virus outbreaks. An outbreak
occurs when messages with attachments containing never-before-seen viruses or variants of existing
viruses spread quickly through private networks and the Internet. As these new viruses or variants hit the
Internet, the most critical period is the window of time between when the virus is released and when the
anti-virus vendors release an updated virus definition. Having advanced notice — even a few hours —
is vital to curbing the spread of the malware or virus. During that vulnerability window, the newly-found
virus can propagate globally, bringing email infrastructure to a halt.
occurs when messages with attachments containing never-before-seen viruses or variants of existing
viruses spread quickly through private networks and the Internet. As these new viruses or variants hit the
Internet, the most critical period is the window of time between when the virus is released and when the
anti-virus vendors release an updated virus definition. Having advanced notice — even a few hours —
is vital to curbing the spread of the malware or virus. During that vulnerability window, the newly-found
virus can propagate globally, bringing email infrastructure to a halt.
Phishing, Malware Distribution, and Other Non-Viral Threats
Messages containing non-viral threats are designed to look like a message from a legitimate sources and
often sent out to a small number of recipients. These messages may have one or more of the following
characteristics in order to appear trustworthy:
often sent out to a small number of recipients. These messages may have one or more of the following
characteristics in order to appear trustworthy:
•
The recipient’s contact information.
•
HTML content designed to mimic emails from legitimate sources, such as social networks and
online retailers.
online retailers.
•
URLs pointing to websites that have new IP addresses and are online only for a short time, which
means that email and web security services do not have enough information on the website to
determine if it is malicious.
means that email and web security services do not have enough information on the website to
determine if it is malicious.
•
URLs pointing to URL shortening services.
All of these characteristics make these messages more difficult to detect as spam. The Outbreak Filters
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
feature provides a multi-layer defense from these non-viral threats to prevent your users from
downloading malware or providing personal information to suspicious new websites.
If CASE discovers URLs in the message, it compares the message to existing Outbreak Rules to
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level.
Depending on the threat level, the Email Security appliance delays delivery to the recipient until more
threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco
web security proxy if they attempt to access the website. The proxy displays a splash page warning the
user that the website may contain malware.
Cisco Security Intelligence Operations
Cisco Security Intelligence Operations (SIO) is a security ecosystem that connects global threat
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
information, reputation-based services, and sophisticated analysis to Cisco security appliances to
provide stronger protection with faster response times.
SIO consists of three components:
•
SenderBase. The world’s largest threat monitoring network and vulnerability database.
•
Threat Operations Center (TOC). A global team of security analysts and automated systems that
extract actionable intelligence gathered by SenderBase.
extract actionable intelligence gathered by SenderBase.
•
Dynamic Update. Real-time updates automatically delivered to appliances as outbreaks occur.