User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

361

362

363

364

365

366

367

368

369

370

14-7

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 14 Outbreak Filters

How Outbreak Filters Work

• File Name & Sophos IDE

Adaptive Rules

Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes

of known virus outbreak messages. These rules have been created after studying known threat messages

and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the

corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.

While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled)

are “always on,” catching outbreak messages locally before the full anomaly has formed on a global

basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic

and structure, providing updated protection to customers.

Outbreaks

A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an

email message and attachment — things such as file size, file type, file name, message content, and so

on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email

message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific

keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages

matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive

Rules every 5 minutes by default (see Updating Outbreak Filter Rules, page 14-15). Adaptive Rules are

updated less frequently than Outbreak Rules. On the appliance, you set a threshold for quarantining

suspicious messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the

message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral

threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of

message body.

Threat Levels

Table 14-1 on page 14-7 provides a basic set of guidelines or definitions for each of the various levels.

For more information about threat levels and outbreak rules, see Outbreak Filters Rules, page 14-15.

Table 14-1 Threat Level Definitions

Level Risk Meaning

0 None There is no risk that the message is a threat.

1 Low The risk that the message is a threat is low.

2 Low/Medium The risk that the message is a threat is low to medium. It is a

“suspected” threat.

3 Medium Either the message is part of a confirmed outbreak or there is a medium

to large risk of its content being a threat.

4 High Either the message is confirmed to be part of a large scale outbreak or

its content is very dangerous.

5 Extreme The message’s content is confirmed to part of an outbreak that is either

extremely large scale or large scale and extremely dangerous.