The data is summarized information on message attributes and information on how different types of messages were handled
by Cisco appliances. We do not collect the full body of the message. Again, information provided to Cisco that would identify
your users or your organization will be treated as confidential. (See What does Cisco do to make sure that the data I share is secure? below).
The following tables
explain a sample log entry in a “human-friendly” format.
Table 1. Statistics Shared
Per Cisco Appliance
|
Item
|
Sample Data
|
|
MGA
Identifier
|
MGA 10012
|
|
Timestamp
|
Data from 8
AM to 8:05 AM on July 1, 2005
|
|
Software
Version Numbers
|
MGA Version
4.7.0
|
|
Rule Set
Version Numbers
|
Anti-Spam
Rule Set 102
|
|
Anti-virus
Update Interval
|
Updates every
10 minutes
|
|
Quarantine
Size
|
500 MB
|
|
Quarantine
Message Count
|
50 messages
currently in quarantine
|
|
Virus Score
Threshold
|
Send messages
to quarantine at threat level 3 or higher
|
|
Sum of Virus
Scores for messages entering quarantine
|
120
|
|
Count of
messages entering quarantine
|
30 (yields
average score of 4)
|
|
Maximum
quarantine time
|
12 hours
|
|
Count of
Outbreak quarantine messages broken down by why they entered and exited
quarantine, correlated with Anti-Virus result
|
50 entering
quarantine due to .exe rule
30 leaving
quarantine due to manual release, and all 30 were virus positive
|
|
Count of
Outbreak quarantine messages broken down by what action was taken upon leaving
quarantine
|
10 messages
had attachments stripped after leaving quarantine
|
|
Sum of time
messages were held in quarantine
|
20 hours
|
Table 2. Statistics Shared
Per Sender IP Address
|
Item
|
Sample Data
|
|
Message count
at various stages within the appliance
|
Seen by
Anti-Virus engine: 100
Seen by
Anti-Spam engine: 80
|
|
Sum of
Anti-Spam and Anti-Virus scores and verdicts
|
2,000 (sum of
anti-spam scores for all messages seen)
|
|
Number of
messages hitting different Anti-Spam and Anti-Virus rule combinations
|
100 messages
hit rules A and B
50 messages
hit rule A only
|
|
Number of
Connections
|
20 SMTP
Connections
|
|
Number of
Total and Invalid Recipients
|
50 total
recipients
10 invalid
recipients
|
|
Hashed
Filename(s): (a)
|
A file
<one-way-hash>.pif was found
inside an
archive attachment called
<one-way-hash>.zip.
|
|
Obfuscated
Filename(s): (b)
|
A file
aaaaaaa0.aaa.pif was found inside a file aaaaaaa.zip.
|
|
URL
Hostname (c)
|
There was a
link found inside a message to www.domain.com
|
|
Obfuscated
URL Path (d)
|
There was a
link found inside a message to hostname www.domain.com, and had path
aaa000aa/aa00aaa.
|
|
Number of
Messages by Spam and Virus Scanning Results
|
10 Spam
Positive
10 Spam
Negative
5 Spam
Suspect
4 Virus
Positive
16 Virus
Negative
5 Virus
Unscannable
|
|
Number of
messages by different Anti-Spam and Anti-Virus verdicts
|
500 spam,
300 ham
|
|
Count of
Messages in Size Ranges
|
125 in
30K-35K range
|
|
Count of
different extension types
|
300 “.exe”
attachments
|
|
Correlation
of attachment types, true file type, and container type
|
100
attachments that have a “.doc” extension but are actually “.exe”
50
attachments are “.exe” extensions within a zip
|
|
Correlation
of extension and true file type with attachment size
|
30
attachments were “.exe” within the 50-55K range
|
|
Number of
attached files uploaded to the file reputation service (AMP cloud)
|
1110 files
were uploaded to the file reputation service
|
|
Verdicts on
files uploaded to the file reputation service (AMP cloud)
|
10 files
were found to be malicious
100 files
were found to be clean
1000 files
were unknown to the reputation service
|
|
Reputation
score of files uploaded to the file reputation service (AMP cloud)
|
50 files
had a reputation score of 37
50 files
had a reputation score of 57
1 file had
a reputation score of 61
9 files had
a reputation score of 99
|
|
Names of
files uploaded to the file reputation service (AMP cloud)
|
example.pdf
testfile.doc
|
|
Names of
malware threats detected by the file reputation service (AMP cloud)
|
Trojan-Test
|
(a) Filenames will
be encoded in a 1-way hash (MD5).
(b) Filenames will
be sent in an obfuscated form, with all lowercase ASCII letters ([a-z])
replaced with “a,” all uppercase ASCII letters ([A-Z]) replaced with “A,” any
multi-byte UTF-8 characters replaced with “x” (to provide privacy for other
character sets), all ASCII digits ([0-9]) replaced with “0,” and all other
single byte characters (whitespace, punctuation, etc.) maintained. For example,
the file Britney1.txt.pif would appear as Aaaaaaa0.aaa.pif.
(c) URL hostnames
point to a web server providing content, much as an IP address does. No
confidential information, such as usernames and passwords, are included.
(d) URL information
following the hostname is obfuscated to ensure that any personal information of
the user is not revealed.
From AsyncOS 8.5
for Email and later, if IronPort Anti-Spam or Intelligent Multi-Scan feature
keys are active and SenderBase Network Participation is enabled, AsyncOS
performs the following actions to improve the efficacy of the product:
-
Collects
information about repetition of certain headers in messages, encrypts the
collected information, and adds the encrypted information to the respective
messages as headers.
You can submit
these processed messages to Cisco for analysis. Each message is reviewed by a
team of human analysts and used to enhance the efficacy of the product. For
instructions to submit messages to Cisco for analysis, see
Reporting Incorrectly Classified Messages to Cisco.
- Sends a random sample of messages to CASE for Antispam scanning, irrespective of their sender's SBRS. CASE scans these messages and uses the results to improve the efficacy of the product. AsyncOS performs this action only
when it is idle. As a result, this feedback mechanism does not have any significant impact on the processing of messages.
Feedback