The Outbreak Filters
feature’s Outbreak quarantine is a temporary holding area used to store
messages until they’re confirmed to be threats or it’s safe to deliver to
users. (See
Outbreak Lifecycle and Rules Publishing
for more information.) Quarantined messages can be released from the Outbreak
quarantine in several ways. As new rules are downloaded, messages in the
Outbreak quarantine are reevaluated based on a recommended rescan interval
calculated by CASE. If the revised threat level of a message falls under the
quarantine retention threshold, the message will automatically be released
(regardless of the Outbreak quarantine’s settings), thereby minimizing the time
it spends in the quarantine. If new rules are published while messages are
being re-evaluated, the rescan is restarted.
Please note that
messages quarantined as virus attacks are not automatically released from the
outbreak quarantine when new anti-virus signatures are available. New rules may
or may not reference new anti-virus signatures; however, messages will not be
released due to an anti-virus engine update unless an Outbreak Rule changes the
threat level of the message to a score lower than your Threat Level Threshold.
Messages are also released from the Outbreak quarantine after CASE’s recommended retention period has elapsed. CASE calculates
the retention period based on the message’s threat level. You can define separate maximum retention times for virus outbreaks
and non-viral threats. If CASE’s recommended retention time exceeds the maximum retention time for the threat type, the appliance
releases messages when the maximum retention time elapses. For viral messages the default maximum quarantine period is
1 day. The default period for quarantining non-viral threats is 4 hours. You can manually release messages from the quarantine.
The appliance
also releases messages when the quarantine is full and more messages are inserted (this is referred to as overflow). Overflow
only occurs when the Outbreak quarantine is at 100% capacity, and a new message is added to the quarantine. At this point,
messages are released in the following order of priority:
- Messages quarantined by
Adaptive Rules (those scheduled to be released soonest are first)
- Messages quarantined by
Outbreak Rules (those scheduled to be released soonest are first)
Overflow releases
stop the moment the Outbreak quarantine is below 100% capacity. For more
information about how quarantine overflow is handled, see
Retention Time for Messages in Quarantines
and
Default Actions for Automatically Processed Quarantined Messages.
Messages released
from the Outbreak quarantine are scanned by the anti-virus and anti-spam
engines again if they’re enabled for the mail policy. If it is now marked as a
known virus or spam, then it will be subject to your mail policy settings
(including a possible second quarantining in the Virus quarantine or Spam
quarantine). For more information, see
The Outbreak Filters Feature and the Outbreak Quarantine.
Thus it is important
to note that in a message's lifetime, it may actually be quarantined twice —
once due to the Outbreak Filters feature, and once when it is released from the
Outbreak quarantine. A message will not be subject to a second quarantine if
the verdicts from each scan (prior to Outbreak Filters, and when released from
the Outbreak quarantine) match. Also note that the Outbreak Filters feature
does not take any final actions on messages. The Outbreak Filters feature will
either quarantine a message (for further processing) or move the message along
to the next step in the pipeline.