Руководство Пользователя для Cisco Cisco Email Security Appliance C160
15-11
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 15 Outbreak Filters
Managing Outbreak Filters
Outbreak Lifecycle and Rules Publishing
Very early in a virus outbreak’s life cycle, broader rules are used to quarantine messages. As more
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
information becomes available, increasingly focused rules are published, narrowing the definition of
what is quarantined. As the new rules are published, messages that are no longer considered possible
virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new
rules are published).
Managing Outbreak Filters
Log in to the Graphical User Interface (GUI), select Security Services in the menu, and click Outbreak
Filters.
Filters.
Table 15-3
Example Rules for an Outbreak Lifecycle
Time
Rule Type
Rule Description
Action
T=0
Adaptive Rule
(based on past
outbreaks)
(based on past
outbreaks)
A consolidated rule set based
on over 100K message
attributes, which analyzes
message content, context and
structure
on over 100K message
attributes, which analyzes
message content, context and
structure
Messages are automatically quarantined
if they match Adaptive Rules
if they match Adaptive Rules
T=5 min Outbreak Rule
Quarantine messages
containing .zip (exe) files
containing .zip (exe) files
Quarantine all attachments that are .zips
containing a .exe
containing a .exe
T=10
min
min
Outbreak Rule
Quarantine messages that have
.zip (exe) files greater than 50
KB
.zip (exe) files greater than 50
KB
Any message with .zip (exe) files that
are less than 50 KB would be released
from quarantine
are less than 50 KB would be released
from quarantine
T=20
min
min
Outbreak Rule
Quarantine messages that have
.zip (exe) files between 50 to 55
KB, and have “Price” in the file
name
.zip (exe) files between 50 to 55
KB, and have “Price” in the file
name
Any message that does not match this
criteria would be released from
quarantine
criteria would be released from
quarantine
T=12
hours
hours
Outbreak Rule
Scan against new signature
All remaining messages are scanned
against the latest anti-virus signature
against the latest anti-virus signature