Outbreak Filters

This chapter contains the following sections:

Overview of Outbreak Filters

Outbreak Filters protects your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur. Unlike most anti-malware security software, which cannot detect new outbreaks until data is collected and a software update is published, Cisco gathers data on outbreaks as they spread and sends updated information to your appliance in real-time to prevent these messages from reaching your users.

Cisco uses global traffic patterns to develop rules that determine if an incoming message is safe or part of an outbreak. Messages that may be part of an outbreak are quarantined until they’re determined to be safe based on updated outbreak information from Cisco or new anti-virus definitions are published by Sophos and McAfee.

Messages used in small-scale, non-viral attacks use a legitimate-looking design, the recipient’s information, and custom URLs that point to phishing and malware websites that have been online only for a short period of time and are unknown to web security services. Outbreak Filters analyzes a message’s content and searches for URL links to detect this type of non-viral attack. Outbreak Filters can rewrite URLs to redirect traffic to potentially harmful websites through a web security proxy, which either warns users that the website they are attempting to access may be malicious or blocks the website completely.

How Outbreak Filters Work

Related Topics

Delaying, Redirecting, and Modifying Messages

The Outbreak Filters feature uses three tactics to protect your users from outbreaks:

  • Delay. Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the appliances receives updated outbreak information and rescans the message to confirm whether it’s part of an attack.

    Note

    If a spam positive message is identified as outbreak positive by Outbreak Filters, the message is not sent to Outbreak Quarantine.
  • Redirect. Outbreak Filters rewrites the URLs in non-viral attack messages to redirect the recipient through the Cisco web security proxy if they attempt to access any of the linked websites. The proxy displays a splash screen that warns the user that the website may contain malware, if the website is still operational, or displays an error message if the website has been taken offline. See Redirecting URLs for more information on redirecting URLs.
  • Modify. In addition to rewriting URLs in non-viral threat messages, Outbreak Filters can modify a message’s subject and add a disclaimer above the message body to warn users about the message’s content. See Modifying Messages for more information.

Threat Categories

The Outbreak Filters feature provides protection from two categories of message-based outbreaks: virus outbreaks , which are messages with never-before-seen viruses in their attachments, and non-viral threats , which includes phishing attempts, scams, and malware distribution through links to an external website.

By default, the Outbreak Filters feature scans your incoming and outgoing messages for possible viruses during an outbreak. You can enable scanning for non-viral threats in addition to virus outbreaks if you enable anti-spam scanning on the appliance .


Note

Your appliance needs a feature key for Anti-Spam or Intelligent Multi-Scan in order for Outbreak Filters to scan for non-viral threats.

Related Topics

Virus Outbreaks

The Outbreak Filters feature provides you with a head start when battling virus outbreaks. An outbreak occurs when messages with attachments containing never-before-seen viruses or variants of existing viruses spread quickly through private networks and the Internet. As these new viruses or variants hit the Internet, the most critical period is the window of time between when the virus is released and when the anti-virus vendors release an updated virus definition. Having advanced notice — even a few hours — is vital to curbing the spread of the malware or virus. During that vulnerability window, the newly-found virus can propagate globally, bringing email infrastructure to a halt.

Phishing, Malware Distribution, and Other Non-Viral Threats

Messages containing non-viral threats are designed to look like a message from a legitimate sources and often sent out to a small number of recipients. These messages may have one or more of the following characteristics in order to appear trustworthy:

  • The recipient’s contact information.
  • HTML content designed to mimic emails from legitimate sources, such as social networks and online retailers.
  • URLs pointing to websites that have new IP addresses and are online only for a short time, which means that email and web security services do not have enough information on the website to determine if it is malicious.
  • URLs pointing to URL shortening services.

All of these characteristics make these messages more difficult to detect as spam. The Outbreak Filters feature provides a multi-layer defense from these non-viral threats to prevent your users from downloading malware or providing personal information to suspicious new websites.

If CASE discovers URLs in the message, it compares the message to existing Outbreak Rules to determine if the message is part of a small-scale non-viral outbreak and then assigns a threat level. Depending on the threat level, the appliance delays delivery to the recipient until more threat data can be gathered and rewrites the URLs in the message to redirect the recipient to the Cisco web security proxy if they attempt to access the website. The proxy displays a splash page warning the user that the website may contain malware.

Cisco Security Intelligence Operations

Cisco Security Intelligence Operations (SIO) is a security ecosystem that connects global threat information, reputation-based services, and sophisticated analysis to appliances to provide stronger protection with faster response times.

SIO consists of three components:

  • SenderBase. The world’s largest threat monitoring network and vulnerability database.
  • Threat Operations Center (TOC). A global team of security analysts and automated systems that extract actionable intelligence gathered by SenderBase.
  • Dynamic Update. Real-time updates automatically delivered to appliances as outbreaks occur.

SIO compares real-time data from the global SenderBase network to common traffic patterns to identify anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of the possible outbreak. The appliances download updated threat levels and Outbreak Rules and use them to scan incoming and outgoing messages, as well as messages already in the Outbreak quarantine.

Information about current virus outbreaks can be found on SenderBase’s website here:

http://www.senderbase.org/

The SIO website provides a list of current non-viral threats, including spam, phishing, and malware distribution attempts:

http://tools.cisco.com/security/center/home.x

Context Adaptive Scanning Engine

Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats.

For virus outbreaks, CASE analyzes the message content, context and structure to accurately determine likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules published by SIO to evaluate every message and assign a unique threat level.

To detect non-viral threats, CASE scans messages for URLs and uses Outbreak Rules from SIO to evaluate a message’s threat level if one or more URLs are found.

Based on the message’s threat level, CASE recommends a period of time to quarantine the message to prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message while it is quarantined.

CASE also rescans messages when they’re released from the quarantine. A message can be quarantined again if CASE determines that it is spam or contains a virus upon rescan.

For more information about CASE, see Cisco Anti-Spam: an Overview.

Delaying Messages

The period between when an outbreak or email attack occurs and when software vendors release updated rules is when your network and your users are the most vulnerable. A modern virus can propagate globally and a malicious website can deliver malware or collect your users’ sensitive information during this period. Outbreak Filters protects your users and network by quarantining suspect messages for a limited period of time, giving Cisco and other vendors time to investigate the new outbreak.

When a virus outbreak occurs, suspicious messages with attachments are quarantined until updated Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.

Small scale, non-viral threats contain URLs to malicious websites that may be online for a short period of time in order to evade detection by web security services or through URL shortening services in order to circumvent web security by putting a trustworthy website in the middle. By quarantining messages containing URLs that meet your threat level threshold, not only does CASE have the opportunity to reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can remain in the quarantine long enough that the linked website may go offline or be blocked by a web security solution.

See Dynamic Quarantine for more information on how Outbreak Filters quarantine suspicious messages.

Redirecting URLs

When CASE scans a message at the Outbreak Filters stage, it searches for URLs in the message body in addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the message is a threat and then scores the message with the appropriate threat level. Depending on the threat level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak. See URL Rewriting and Bypassing Domains for more information on bypassing URLs for trusted domains.

After the appliance releases and delivers the message, any attempt by the recipient to access the website is redirected through the Cisco web security proxy. This is an external proxy hosted by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the website is still operational. If the website has been taken offline, the splash screen displays an error message.

If the recipient decides to click the message’s URLs, the Cisco web security proxy displays a splash screen in the user’s web browser to warn the user about the content of the message. The following figure shows an example of the splash screen warning. The recipient can either click Ignore this warning to continue on to the website or Exit to leave and safely close the browser window.

Figure 1. Cisco Security Splash Screen Warning (proxy_splash_screen)


The only way to access the Cisco web security proxy is through a rewritten URL in a message. You cannot access the proxy by typing a URL in your web browser.


Note

You can customize the appearance of this splash screen and display your organization’s branding such as company logo, contact information, and so on. See Customizing the Notification That End Users See If a Site Is Malicious.

Tip

To redirect all URLs in suspected spam messages to the Cisco Web Security proxy service, see Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example.


Modifying Messages

The Outbreak Filters feature modifies the message body of a non-viral threat message not only to rewrite the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can modify the subject header and add a disclaimer about the message’s content above the message body. See Message Modification for more information.

The threat disclaimer is created using the Disclaimer template through the Mail Policies > Text Resources page. See Overview of Text Resource Management for more information.

Types of Rules: Adaptive and Outbreak

Two types of rules are used by Outbreak Filters to detect potential outbreaks: Adaptive and Outbreak. The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes, providing instant access to quarantined messages and the reason why they were quarantined.

Related Topics

Outbreak Rules

Outbreak Rules are generated by the Cisco Threat Operations Center (TOC), which is a part of the Cisco Security Intelligence Operations, and focus on the message as a whole, rather than just attachment filetypes. Outbreak Rules use SenderBase data (real time and historical traffic data) and any combination of message parameters such as attachment file type, file name keywords, or anti-virus engine update to recognize and prevent outbreaks in real time. Outbreak Rules are given a unique ID used to refer to the rule in various places in the GUI (such as the Outbreak quarantine).

Real-time data from the global SenderBase network is then compared to this baseline, identifying anomalies that are proven predictors of an outbreak. The TOC reviews the data and issues a threat indicator or Threat Level. The Threat Level is a numeric value between 0 (no threat) and 5 (extremely risky), and measures the likelihood that a message is a threat for which no other gateway defense is widely deployed by Cisco customers (for more information, see Threat Levels). Threat Levels are published as Outbreak Rules by the TOC.

Some example characteristics that can be combined in Outbreak Rules include:

  • File Type, File Type & Size, File Type & File Name Keyword, etc.
  • File Name Keyword & File Size
  • File Name Keyword
  • Message URL
  • File Name & Sophos IDE

Adaptive Rules

Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes of known virus outbreak messages. These rules have been created after studying known threat messages and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times. While Outbreak Rules take effect when a possible outbreak is occurring, Adaptive Rules (once enabled) are “always on,” catching outbreak messages locally before the full anomaly has formed on a global basis. Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic and structure, providing updated protection to customers.

Outbreaks

A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an email message and attachment — things such as file size, file type, file name, message content, and so on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive Rules every 5 minutes by default (see Updating Outbreak Filter Rules). Adaptive Rules are updated less frequently than Outbreak Rules. On the appliance , you set a threshold for quarantining suspicious messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of message body.

Threat Levels

The following table provides a basic set of guidelines or definitions for each of the various levels.

Level

Risk

Meaning

0

None

There is no risk that the message is a threat.

1

Low

The risk that the message is a threat is low.

2

Low/Medium

The risk that the message is a threat is low to medium. It is a “suspected” threat.

3

Medium

Either the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.

4

High

Either the message is confirmed to be part of a large scale outbreak or its content is very dangerous.

5

Extreme

The message’s content is confirmed to part of an outbreak that is either extremely large scale or large scale and extremely dangerous.

For more information about threat levels and outbreak rules, see Outbreak Filters Rules.

Related Topics

Guidelines for Setting Your Quarantine Threat Level Threshold

The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining suspicious messages. A low setting (1 or 2) is more aggressive and will quarantine more messages; conversely, a higher score (4 or 5) is less aggressive and will only quarantine messages with an extremely high likelihood of being malicious.

The same threshold applies to both virus outbreaks and non-virus threats, but you can specify different quarantine retention times for virus attacks and other threats. See Dynamic Quarantine for more information.

Cisco recommends the default value of 3.

Containers: Specific and Always Rules

Container files are files, such as zipped (.zip) archives, that contain other files. The TOC can publish rules that deal with specific files within archive files.

For example, if a virus outbreak is identified by TOC to consist of a .zip file containing a .exe, a specific Outbreak Rule is published that sets a threat level for .exe files within .zip files (.zip(exe)), but does not set a specific threat level for any other file type contained within .zip files (e.g. .txt files). A second rule (.zip(*)) covers all other file types within that container file type. An Always rule for a container will always be used in a message's Threat Level calculation regardless of the types of files that are inside a container. An always rule will be published by the SIO if all such container types are known to be dangerous.

Table 1. Fallback Rules and Threat Level Scores

Outbreak Rule

Threat Level

Description

.zip(exe)

4

This rule sets a threat level of 4 for .exe files within .zip files.

.zip(doc)

0

This rule sets a threat level of 0 for .doc files within .zip files.

zip(*)

2

This rule sets a threat level of 2 for all .zip files, regardless of the types of files they contain.

How the Outbreak Filters Feature Works

Email messages pass through a series of steps, the “email pipeline,” when being processed by your appliance (for more information about the email pipeline, see Understanding the Email Pipeline). As the messages proceed through the email pipeline, they are run through the anti-spam and anti-virus scanning engines if those engines are enabled for that mail policy. In other words, known spam or messages containing recognized viruses are not scanned by the Outbreak Filters feature because they will have already been removed from the mail stream — deleted, quarantined, etc. — based on your anti-spam and anti-virus settings. Messages that arrive at the Outbreak Filters feature have therefore been marked spam- and virus-free. Note that a message quarantined by Outbreak Filters may be marked as spam or containing a virus when it is released from the quarantine and rescanned by CASE, based on updated spam rules and virus definitions.


Note

Messages that skip anti-spam and anti-virus scanning due to filters or the engines being disabled will still be scanned by Outbreak Filters.

Related Topics

Message Scoring

When a new virus attack or non-viral threat is released into the wild, no anti-virus or anti-spam software is able to recognize the threat yet, so this is where the Outbreak Filters feature can be invaluable. Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules (see Types of Rules: Adaptive and Outbreak). The message score corresponds with the message’s threat level. Based on which, if any, rules the message matches, CASE assigns the corresponding threat level. If there is no associated threat level (the message does not match any rules), then the message is assigned a threat level of 0.

Once that calculation has been completed, the appliance checks whether the threat level of that message meets or exceeds your quarantine or message modification threshold value and quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed along for further processing in the pipeline.

Additionally, CASE reevaluates existing quarantined messages against the latest rules to determine the latest threat level of a message. This ensures that only messages that have a threat level consistent with an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the quarantine after an automatic reevaluation.

In the case of multiple scores for an outbreak message — one score from an Adaptive Rule (or the highest score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.

It is possible to use the Outbreak Filters feature without having enabled anti-virus scanning on the appliance . The two security services are designed to complement each other, but will also work separately. That said, if you do not enable anti-virus scanning on your appliance , you will need to monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in the Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the following in mind:

  • You should disable Adaptive Rules
  • Messages will get quarantined by Outbreak Rules
  • Messages will get released if the threat level is lowered or time expires

Downstream anti-virus vendors (desktops/groupware) may catch the message on release.


Note

Anti-spam scanning needs to be enabled globally on an appliance for the Outbreak Filters feature to scan for non-viral threats.

Dynamic Quarantine

The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages until they’re confirmed to be threats or it’s safe to deliver to users. (See Outbreak Lifecycle and Rules Publishing for more information.) Quarantined messages can be released from the Outbreak quarantine in several ways. As new rules are downloaded, messages in the Outbreak quarantine are reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of a message falls under the quarantine retention threshold, the message will automatically be released (regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.

Please note that messages quarantined as virus attacks are not automatically released from the outbreak quarantine when new anti-virus signatures are available. New rules may or may not reference new anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level Threshold.

Messages are also released from the Outbreak quarantine after CASE’s recommended retention period has elapsed. CASE calculates the retention period based on the message’s threat level. You can define separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended retention time exceeds the maximum retention time for the threat type, the appliance releases messages when the maximum retention time elapses. For viral messages the default maximum quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can manually release messages from the quarantine.

The appliance also releases messages when the quarantine is full and more messages are inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100% capacity, and a new message is added to the quarantine. At this point, messages are released in the following order of priority:

  • Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
  • Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)

Overflow releases stop the moment the Outbreak quarantine is below 100% capacity. For more information about how quarantine overflow is handled, see Retention Time for Messages in Quarantines and Default Actions for Automatically Processed Quarantined Messages.

Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or Spam quarantine). For more information, see The Outbreak Filters Feature and the Outbreak Quarantine.

Thus it is important to note that in a message's lifetime, it may actually be quarantined twice — once due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine a message (for further processing) or move the message along to the next step in the pipeline.

Related Topics

Outbreak Lifecycle and Rules Publishing

Very early in a virus outbreak’s life cycle, broader rules are used to quarantine messages. As more information becomes available, increasingly focused rules are published, narrowing the definition of what is quarantined. As the new rules are published, messages that are no longer considered possible virus messages are released from quarantine (messages in the outbreak quarantine are rescanned as new rules are published).

Table 2. Example Rules for an Outbreak Lifecycle

Time

Rule Type

Rule Description

Action

T=0

Adaptive Rule (based on past outbreaks)

A consolidated rule set based on over 100K message attributes, which analyzes message content, context and structure

Messages are automatically quarantined if they match Adaptive Rules

T=5 min

Outbreak Rule

Quarantine messages containing .zip (exe) files

Quarantine all attachments that are .zips containing a .exe

T=10 min

Outbreak Rule

Quarantine messages that have .zip (exe) files greater than 50 KB

Any message with .zip (exe) files that are less than 50 KB would be released from quarantine

T=20 min

Outbreak Rule

Quarantine messages that have .zip (exe) files between 50 to 55 KB, and have “Price” in the file name

Any message that does not match this criteria would be released from quarantine

T=12 hours

Outbreak Rule

Scan against new signature

All remaining messages are scanned against the latest anti-virus signature

Managing Outbreak Filters

Log in to the Graphical User Interface (GUI), select Security Services in the menu, and click Outbreak Filters.

Figure 2. Outbreak Filters Main Page


The Outbreak Filters page shows two sections: the Outbreak Filters Overview and a listing of current Outbreak Filter Rules (if any).

In the figure above, Outbreak Filters are enabled, Adaptive Scanning is enabled, and the maximum message size is set to 512k. To change these settings, click Edit Global Settings For more information about editing Global Settings, see Configuring Outbreak Filters Global Settings.

The Outbreak Filter Rules section lists the time, date, and version of the latest update for various components (the rules engine as well as the rules themselves), as well as a listing of the current Outbreak Filter rules with threat level.

For more information about Outbreak Rules, see Outbreak Filters Rules.

Related Topics

Configuring Outbreak Filters Global Settings

Procedure


Step 1

Click Security Services > Outbreak Filters.

Step 2

Click Edit Global Settings.

Step 3

Depending on your requirements, do the following:

  • Enable Outbreak Filters globally
  • Enable Adaptive Rules scanning
  • Set a maximum size for files to scan (note that you are entering the size in bytes )
  • Enable alerts for the Outbreak Filter
  • Enable Web Interaction Tracking. See Web Interaction Tracking.
Step 4

Submit and commit your changes.


What to do next

This functionality is also available via the outbreakconfig CLI command (see the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances ). After you make your changes, submit and commit them.


Note

You cannot enable the logging of URLs using the web interface. For instructions to enable logging of URLs using CLI, see Enabling Logging of URLs and Message Tracking Details for URLs .

Related Topics

Enabling the Outbreak Filters Feature

To enable the Outbreak Filters feature globally, check the box next to Enable Outbreak Filters on the Outbreak Filters Global Settings page, and click Submit. You must have agreed to the Outbreak Filters license agreement first.

Once enabled globally, the Outbreak Filters feature can then be enabled or disabled individually for each incoming and outgoing mail policy, including the default policies. For more information, seeThe Outbreak Filters Feature and Mail Policies.

The Outbreak Filters feature uses the Context Adaptive Scanning Engine (CASE) to detect viral threats, regardless of whether anti-spam scanning is enabled, but you do need to have Anti-Spam or Intelligent Multi-Scan enabled globally on the appliance to scan for non-viral threats.


Note

If you have not already agreed to the license during system setup (see Step 4: Security), you must click Enable on the Security Services > Outbreak Filters page, and then read and agree to the license.

Enabling Adaptive Rules

Adaptive Scanning enables the use of Adaptive Rules in Outbreak Filters. A set of factors or traits (file size, etc.) are used to determine the likelihood of a message being part of an outbreak when no virus signature or spam criteria relating to the message’s content is available. To enable Adaptive Scanning, check the box next to Enable Adaptive Rules on the Outbreak Filters Global Settings page, and click Submit.

Enabling Alerts for Outbreak Filters

Check the box labeled “Emailed Alerts” to enable alerting for the Outbreak Filters feature. Enabling emailed alerts for Outbreak Filters merely enables the alerting engine to send alerts regarding Outbreak Filters. Specifying which alerts are sent and to which email addresses is configured via the Alerts page in the System Administration tab. For more information on configuring alerts for Outbreak Filters, see Alerts, SNMP Traps, and Outbreak Filters.

Enabling Logging of URLs and Message Tracking Details for URLs

Logging of URL-related logs, and display of this information in Message Tracking details, is disabled by default. This includes the logs for the following events:

  • Category of any URL in the message matches the URL category filters
  • Reputation score of any URL in the message matches URL reputation filters
  • Outbreak Filter rewrites any URL in the message

To enable logging of these events, use the outbreakconfig command in the command-line interface (CLI).

Related Topics
Example: Enabling Logging of URLs Using the outbreakconfig Command

The following example shows how to enable logging of URLs using the outbreakconfig command


mail.example.com> outbreakconfig

Outbreak Filters: Enabled

Choose the operation you want to perform:

- SETUP - Change Outbreak Filters settings.

[]> setup

Outbreak Filters: Enabled

Would you like to use Outbreak Filters? [Y]>

Outbreak Filters enabled.

Outbreak Filter alerts are sent when outbreak rules cross the threshold (go above or back down below), meaning that new messages of

certain types could be quarantined or will no longer be quarantined, respectively.

Would you like to receive Outbreak Filter alerts? [N]>

What is the largest size message Outbreak Filters should scan?

[524288]>

Do you want to use adaptive rules to compute the threat level of messages? [Y]>

Logging of URLs is currently disabled.

Do you wish to enable logging of URL's? [N]> Y

Logging of URLs has been enabled.

The Outbreak Filters feature is now globally enabled on the system.  You must use the 'policyconfig' command in the CLI or the Email

Security Manager in the GUI to enable Outbreak Filters for the desired Incoming and Outgoing Mail Policies.

Choose the operation you want to perform:

- SETUP - Change Outbreak Filters settings.

[]>

Outbreak Filters Rules

Outbreak Rules are published by the Cisco Security Intelligence Operations and your appliance checks for and downloads new outbreak rules every 5 minutes. You can change this update interval. SeeConfiguring Server Settings for Downloading Upgrades and Updates for more information.

Related Topics

Managing Outbreak Filter Rules

Because the Outbreak Filters Rules are automatically downloaded for you, there really is no management needed on the part of the user.

However, if for some reason your appliance is not able to reach Cisco’s update servers for new rules over a period of time, it is possible that your locally-cached scores are no longer valid, i.e., if a known viral attachment type now has an update in the anti-virus software and/or is no longer a threat. At this time, you may wish to no longer quarantine messages with these characteristics.

You can manually download updated outbreak rules from Cisco’s update servers by clicking Update Rules Now.


Note

The Update Rules Now button does not “flush” all existing outbreak rules on the appliance . It only replaces outbreak rules that have been updated. If there are no updates available on Cisco’s update servers, then the appliance will not download any outbreak rules when you click this button.
Related Topics
Updating Outbreak Filter Rules

By default, your appliance will attempt to download new Outbreak Filters rules every 5 minutes. You can change this interval via the Security Services > Service Updates page. For more information, see Service Updates.

The Outbreak Filters Feature and Mail Policies

The Outbreak Filters feature has settings that can be set per mail policy. The Outbreak Filters feature can be enabled or disabled for each mail policy on the appliance . Specific file extensions and domains can be exempted from processing by the Outbreak Filters feature, per mail policy. This functionality is also available via the policyconfig CLI command (see the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances ).


Note

Anti-Spam or Intelligent Multi-Scan scanning needs to be enabled globally on an appliance for the Outbreak Filters feature to scan for non-viral threats.

To modify the Outbreak Filters feature settings for a specific mail policy, click the link in the Outbreak Filters column of the policy to change.

To enable and customize the Outbreak Filters feature for a particular mail policy, select Enable Outbreak Filtering (Customize Settings).

You can configure the following Outbreak Filter settings for a mail policy:

  • Quarantine threat level
  • Maximum quarantine retention time
  • Deliver non-viral threat messages immediately without adding them to quarantine
  • File extension types for bypassing
  • Message modification threshold
  • Alter subject header using custom text and Outbreak Filter variables such as $threat_verdict , $threat_category , $threat_type , $threat_description , and $threat_level .
  • Include the following email headers:
    • X-IronPort-Outbreak-Status
    • X-IronPort-Outbreak-Description
  • Send the message to an alternate destination such as an appliance or an exchange server.
  • URL rewriting
  • Threat disclaimer

Select Enable Outbreak Filtering (Inherit Default mail policy settings) to use the Outbreak Filters settings that are defined for the default mail policy. If the default mail policy has the Outbreak Filters feature enabled, all other mail policies use the same Outbreak Filter settings unless they are customized.

Once you have made your changes, commit your changes.

Related Topics

Setting a Quarantine Level Threshold

Select a Quarantine Threat Level threshold for outbreak threats from the list. A smaller number means that you will be quarantining more messages, while a larger number results in fewer messages quarantined. Cisco recommends the default value of 3.

For more information, see Guidelines for Setting Your Quarantine Threat Level Threshold.

Maximum Quarantine Retention

Specify the maximum amount of time that messages stay in the Outbreak Quarantine. You can specify different retention times for messages that may contain viral attachments and messages that may contain other threats, like phishing or malware links. For non-viral threats, check the Deliver messages without adding them to quarantine check box to deliver the messages immediately without adding them to quarantine.


Note

You cannot quarantine non-viral threats unless you enable Message Modification for the policy.

CASE recommends a quarantine retention period when assigning the threat level to the message. The appliance keeps the message quarantined for the length of time that CASE recommends unless it exceeds the maximum quarantine retention time for its threat type.

Bypassing File Extension Types

You can modify a policy to bypass specific file types. Bypassed file extensions are not included when CASE calculates the threat level for the message; however, the attachments are still processed by the rest of the email security pipeline.

To bypass a file extension, click Bypass Attachment Scanning, select or type in a file extension, and click Add Extension. AsyncOS displays the extension type in the File Extensions to Bypass list.

To remove an extension from the list of bypassed extensions, click the trash can icon next to the extension in the File Extensions to Bypass list.

Related Topics
Bypassing File Extensions: Container File Types

When bypassing file extensions, files within container files (a .doc file within a .zip, for example) are bypassed if the extension is in the list of extensions to bypass. For example, if you add .doc to the list of extensions to bypass, all .doc files, even those within container files are bypassed.

Message Modification

Enable Message Modification if you want the appliance to scan messages for non-viral threats, such as phishing attempts or links to malware websites.

Based on the message’s threat level, AsyncOS can modify the message to rewrite all of the URLs to redirect the recipient through the Cisco web security proxy if they attempt to open the website from the message. The appliance can also add a disclaimer to the message to alert the user that the message’s content is suspicious or malicious.

You need to enable message modification in order to quarantine non-viral threat messages.

Related Topics
Message Modification Threat Level

Select a Message Modification Threat Level threshold from the list. This setting determines whether to modify a message based on the threat level returned by CASE. A smaller number means that you will be modifying more messages, while a larger number results in fewer messages being modified. Cisco recommends the default value of 3.

Message Subject

You can alter the text of the subject header on non-viral threat messages containing modified links to notify users that the message has been modified for their protection. Prepend or append the subject header with custom text, Outbreak Filter variables such as $threat_verdict , $threat_category , $threat_type , $threat_description , and $threat_level , or a combination of both. To insert variables, click Insert Variables, and select from the list of variables.

White space is not ignored in the Message Subject field. Add spaces after (if prepending) or before (if appending) the text you enter in this field to separate your added text from the original subject of the message. For example, add the text [MODIFIED FOR PROTECTION] with a few trailing spaces if you are prepending.


Note

The Message Subject field only accepts US-ASCII characters.
Outbreak Filters Email Headers

You can add the following additional headers to the message:

Header

Format

Example

Options

X-IronPort- Outbreak- Status

X-IronPort-Outbreak-Status: $threat_verdict, level $threat_level, $threat_category - $threat_type

X-IronPort-Outbreak- Status: Yes, level 4, Phish - Password

  • Enable for all messages
  • Enable only for non-viral outbreak
  • Disable

X-IronPort- Outbreak- Description

X-IronPort-Outbreak- Description: $threat_description

X-IronPort-Outbreak- Description: It may trick victims into submitting their username and password on a fake website.

  • Enable
  • Disable

Note

If you want to filter messages based on these headers, you must send the Outbreak Filter processed messages back to an appliance (by configuring an alternate destination mail host), and scan them using a content filter that matches these headers.
Alternate Destination Mail Host

If you want to perform a content filter-based scan on the Outbreak Filter processed messages, you must configure the Outbreak Filter to send the processed messages back to an appliance . This is because, in the processing pipeline, the Outbreak Filter scan is performed after the content filter scan.

In the Alternate Destination Mail Host field, enter the IP address (IPv4 or IPv6) or the FQDN of the appliance where you want to send the processed messages for further scans.

URL Rewriting and Bypassing Domains

If the message’s threat level exceeds the message modification threshold, the Outbreak Filters feature rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if they click on any of them. (See Redirecting URLs for more information.) If the message’s threat level exceeds the quarantine threshold, the appliance also quarantines the message. If a small scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect websites linked from possible outbreak messages and determine whether the websites are malicious. CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the outbreak. After the retention period expires, the appliance releases the message from the quarantine.

AsyncOS rewrites all of the URLs inside a message except for the ones pointing to bypassed domains.

The following options are available for URL rewriting:

  • Enable only for unsigned messages. This option allows AsyncOS to rewrite URLs in unsigned messages that meet or exceed the message modification threshold, but not signed messages. Cisco recommends using this setting for URL rewriting.


    Note

    The appliance may rewrite URLs in a DomainKeys/DKIM-signed message and invalidate the message’s signature if a server or appliance on your network other than the Email Security appliance is responsible for verifying the DomainKeys/DKIM signature.

    The appliance considers a message signed if it is encrypted using S/MIME or it contains an S/MIME signature.


  • Enable for all messages. This option allows AsyncOS to rewrite URLs in all messages that meet or exceed the message modification threshold, including signed ones. If AsyncOS modifies a signed message, the signature becomes invalid.
  • Disable. This option disables URL rewriting for Outbreak Filters.

You can modify a policy to exclude URLs to certain domains from modification. To bypass domains, enter the IPv4 address, IPv6 address, CIDR range, hostname, partial hostname or domain in the Bypass Domain Scanning field. Separate multiple entries using commas.

The Bypass Domain Scanning feature is similar to, but independent of, the global allowed list used by URL filtering. For more information about that allowed list, see Creating Allowed Lists for URL Filtering.

Threat Disclaimer

The appliance can append a disclaimer message above the heading of a suspicious message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the type of message.

Select the disclaimer text you want to use from the Threat Disclaimer list or click the Mail Policies > Text Resources link to create a new disclaimer using the Disclaimer Template. The Disclaimer Template includes variables for outbreak threat information. You can see a preview of the threat disclaimer by clicking Preview Disclaimer. For custom disclaimer messages, you can use variables to display the threat level, the type of threat, and a description of the threat in the message. For information on creating a disclaimer message, see Overview of Text Resource Management.

The Outbreak Filters Feature and the Outbreak Quarantine

Messages quarantined by the Outbreak Filters feature are sent to the Outbreak quarantine. This quarantine functions like any other quarantine (for more information about working with quarantines, see Policy, Virus, and Outbreak Quarantines) except that it has a “summary” view, useful for deleting or releasing all messages from the quarantine, based on the rule used to place the message in the quarantine (for Outbreak Rules, the Outbreak ID is shown, and for Adaptive Rules, a generic term is shown). For more information about the summary view, see Outbreak Quarantine and the Manage by Rule Summary View.

Related Topics

Monitoring the Outbreak Quarantine

Though a properly configured quarantine requires little if any monitoring, it is a good idea to keep an eye on the Outbreak Quarantine, especially during and after virus outbreaks when legitimate messages may be delayed.

If a legitimate message is quarantined, one of the following occurs depending on the settings for the Outbreak quarantine:

  • If the quarantine’s Default Action is set to Release, the message will be released when the retention time period expires or when the quarantine overflows. You can configure the Outbreak quarantine so that the following actions are performed on messages before they are released due to overflow: strip attachments, modify the subject, and add an X-Header. For more information about these actions, see Default Actions for Automatically Processed Quarantined Messages.
  • If the quarantine’s Default Action is set to Delete, the message will be deleted when the retention time period expires, or when the quarantine overflows.
  • Overflow occurs when the quarantine is full and more messages are added. In this case the messages closest to their expiration date (not necessarily the oldest messages) are released first, until enough room is available for the new messages. You can configure the Outbreak quarantine so that the following actions are performed on messages before they are released due to overflow: strip attachments, modify the subject, add an X-Header.

Because quarantined messages are rescanned whenever new rules are published, it is very likely that messages in the Outbreak quarantine will be released prior to the expiration time.

Still, it can be important to monitor the Outbreak quarantine if the Default Action is set to Delete. Cisco recommends most users to not set the default action to Delete. For more information about releasing messages from the Outbreak quarantine, or changing the Default Action for the Outbreak Quarantine, see Default Actions for Automatically Processed Quarantined Messages.

Conversely, if you have messages in your Outbreak quarantine that you would like to keep in the quarantine longer while you wait for a new rule update, for example, you can delay the expiration of those messages. Keep in mind that increasing the retention time for messages can cause the size of the quarantine to grow.


Note

If anti-virus scanning is disabled globally (not via a mail policy) while a message is in the Outbreak quarantine, the message is not anti-virus scanned when it leaves the quarantine, even if anti-virus scanning is re-enabled prior to the message leaving the quarantine.

Note

You can use the Outbreak Filters feature without having enabled anti-virus scanning on the appliance . However, Outbreak Filters cannot scan for non-viral threats if anti-spam scanning is not enabled on the appliance.

Outbreak Quarantine and the Manage by Rule Summary View

You can view the contents of the Outbreak quarantine by clicking on the name of the quarantine in the listing on the Monitor menu in the GUI. The Outbreak quarantine has an additional view as well, the Outbreak Quarantine Manage by Rule Summary link.

Figure 3. The Outbreak Quarantine Manage by Rule Summary Link


Related Topics
Using the Summary View to Perform Message Actions on Messages in the Outbreak Quarantine Based on Rule ID.

Click on the Manage by Rule Summary link to see a listing of the contents of the Outbreak quarantine, grouped by rule ID:

Figure 4. The Outbreak Quarantine Manage by Rule Summary View


From this view, you can choose to release, delete, or delay the exit for all messages pertaining to a specific outbreak or adaptive rule, rather than selecting individual messages. You can also search through or sort the listing.

This functionality is also available via the quarantineconfig -> outbreakmanage CLI command. For more information, see the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances .

Monitoring Outbreak Filters

The appliance includes several tools to monitor the performance and activity of the Outbreak Filters feature.

Related Topics

Outbreak Filters Report

The Outbreak Filters report to view the current status and configuration of Outbreak Filters on your appliance as well as information about recent outbreaks and messages quarantined due to Outbreak Filters. View this information on the Monitor > Outbreak Filters page. For more information, see the “Email Security Monitor” chapter.

Outbreak Filters Overview and Rules Listing

The overview and rules listing provide useful information about the current status of the Outbreak Filters feature. View this information via the Security Services > Outbreak Filters page.

Alerts, SNMP Traps, and Outbreak Filters

The Outbreak Filters feature supports two different types of notifications: regular AsyncOS alerts and SNMP traps.

SNMP traps are generated when a rule update fails. For more information about SNMP traps in AsyncOS, see the “Managing and Monitoring via the CLI” chapter.

AsyncOS has two types of alerts for the Outbreak Filter feature: size and rule

AsyncOS alerts are generated whenever the Outbreak quarantine’s size goes above 5, 50, 75, and 95 of the maximum size. The alert generated for the 95% threshold has a severity of CRITICAL, while the remaining alert thresholds are WARNING. Alerts are generated when the threshold is crossed as the quarantine size increases. Alerts are not generated when thresholds are crossed as the quarantine size decreases. For more information about alerts, see Alerts.

AsyncOS also generates alerts when rules are published, the threshold changes, or when a problem occurs while updating rules or the CASE engine.

Troubleshooting The Outbreak Filters Feature

This section provides some basic troubleshooting tips for the Outbreak Filters feature.

Related Topics

Reporting Incorrectly Classified Messages to Cisco

Use the checkbox on the Manage Quarantine page for the Outbreak quarantine to notify Cisco of misclassifications.

Multiple Attachments and Bypassed Filetypes

Bypassed file types are only excluded if a message’s only attachment is of that type, or in the case of multiple attachments, if the other attachments do not yet have existing rules. Otherwise the message is scanned.

Message and Content Filters and the Email Pipeline

Message and content filters are applied to messages prior to scanning by Outbreak Filters. Filters can cause messages to skip or bypass the Outbreak Filters scanning.