This document describes and answers some of the more frequently asked questions regarding Outbreak Filters, or Virus Outbreak Filters, on the Email Security Appliance (ESA).
What are Outbreak Filters, or Virus Outbreak Filters (VOF)?
Outbreak Filters protect your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur. Unlike most anti-malware security software, which cannot detect new outbreaks until data is collected and a software update is published, Cisco gathers data on outbreaks as they spread and sends updated information to your ESA in real-time to prevent these messages from reaching your users.
Cisco uses global traffic patterns to develop rules that determine if an incoming message is safe or part of an outbreak. Messages that may be part of an outbreak are quarantined until they are determined to be safe based on updated outbreak information from Cisco or new anti-virus definitions are published by Sophos and McAfee.
Messages used in small-scale, non-viral attacks use a legitimate-looking design, the recipient's information, and custom URLs that point to phishing and malware websites that have been online only for a short period of time and are unknown to web security services. Outbreak Filters analyze a message's content and search for URL links to detect this type of non-viral attack. Outbreak Filters can rewrite URLs to redirect traffic to potentially harmful websites through a web security proxy, which either warns users that the website they are attempting to access may be malicious or blocks the website completely.
Can I use Outbreak Filters even if I am not running Sophos or McAfee Anti-Virus on my ESA?
Cisco recommends that you enable Sophos or McAfee Anti-Virus in addition to Virus Outbreak Filters to increase your defense against viruses. However, VOF can operate independently without requiring Sophos or McAfee Anti-Virus to be enabled.
When do Outbreak Filters quarantine messages?
A message is quarantined when it contains file attachment(s) that meet or exceed the current Outbreak Rules and the thresholds set by mail administrators. Cisco publishes current Outbreak Rules to each ESA that has a valid feature key, and on our Support Portal. Messages that may be part of an outbreak are quarantined until they are determined to be safe based on updated outbreak information from Cisco or new anti-virus definitions are published by Sophos and McAfee.
Information about current virus outbreaks can be found on SenderBase
What happens when the Outbreak quarantine fills up?
When a quarantine exceeds the maximum space allocated to it, or if a message exceeds the maximum time setting, messages are automatically pruned from the quarantine to keep it within limits. Messages are removed on a first-in, first-out (FIFO) basis. In other words, the oldest messages are deleted first. You can configure a quarantine to either release (that is, deliver) or delete a message which must be pruned from a quarantine. If you choose to release messages, you may elect to have the subject line tagged with text you specify which will alert the recipient that the message was forced out of a quarantine.
Following release from the Outbreak quarantine, messages are re-scanned by the anti-virus module, and action is taken according to anti-virus policy. Depending on this policy, a message may be delivered, deleted, or delivered with viral attachments stripped. It is expected that viruses will often be found during re-scan after release from the Outbreak quarantine. The ESA mail_logs or message tracking can be consulted to determine if an individual message that was noted in the quarantine was found to be viral, and if and how it was delivered.
Before a system quarantine fills up, an alert is sent when the quarantine reaches 75% full, and another alert is sent when it reaches 95% full. The Outbreak quarantine has an additional management feature that allows you to delete or release all messages that match a particular virus threat level (VTL). This allows for easy clearing of the quarantine after an anti-virus update is received which addresses a particular virus threat.
What is the meaning of the threat level for an Outbreak Rule?
Outbreak Filters act under threat levels between 0 and 5. The threat level rates the likelihood of a viral outbreak. Based on the risk of a viral outbreak, the threat level influences the quarantining of suspicious files. The threat level is based on a number of factors, including but not limited to network traffic, suspicious file activity, input from anti-virus vendors, and analysis by Cisco's Threat Operation Center. In addition, Outbreak Filters allows mail administrators to increase or decrease the impact of threat levels for their networks.
There is no risk that the message is a threat.
The risk that the message is a threat is low.
The risk that the message is a threat is low to medium. It is a ?suspected? threat.
Either the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.
Either the message is confirmed to be part of a large scale outbreak or its content is very dangerous.
The message?s content is confirmed to part of an outbreak that is either extremely large scale or large scale and extremely dangerous.
How can I be alerted when a virus outbreak occurs?
When the SenderBase network elevates a VTL for a particular type of message profile, you can be alerted via an email message sent to your configured alert email address. When a VTL falls below your configured threshold, another alert is sent. You can thus monitor the progress of virus. To ensure you will receive these alerts, verify the email address that alerts are sent to in the CLI using the alertconfig command.
To configure, or reivew confirugation
GUI: Security Services > Outbreak Filters and review the configuration under the Edit Global Settings...
CLI: outbreakconfig > setup
Outbreak Filters: Enabled
Choose the operation you want to perform: - SETUP - Change Outbreak Filters settings. - CLUSTERSET - Set how the Outbreak Filters are configured in a cluster. - CLUSTERSHOW - Display how the Outbreak Filters are configured in a cluster. > setup
Outbreak Filters: Enabled Would you like to use Outbreak Filters? [Y]>
Outbreak Filters enabled.
Outbreak Filter alerts are sent when outbreak rules cross the threshold (go above or back down below), meaning that new messages of certain types could be quarantined or will no longer be quarantined, respectively.
Would you like to receive Outbreak Filter alerts? [N]> y
What is the largest size message Outbreak Filters should scan? >
Do you want to use adaptive rules to compute the threat level of messages? [Y]>
Logging of URLs is currently disabled.
Do you wish to enable logging of URL's? [N]> y
Logging of URLs has been enabled.
The Outbreak Filters feature is now globally enabled on the system. You must use the 'policyconfig' command in the CLI or the Email Security Manager in the GUI to enable Outbreak Filters for the desired Incoming and Outgoing Mail Policies.
A new virus outbreak will first be detected by SenderBase and VTL will be elevated. You will receive an alert if the VTL meets or exceeds your configured VTL threshold. Sophos alerts will follow as the virus is identified and captured, and when new virus identifying signatures become available.