Field Notice: FN - 64023 - Cisco Email Security Appliances - Change in Suspect Range of URL Web Based Reputation Score Used by URL Reputation Feature - Workaround Provided

Available Languages

Updated:October 9, 2017

Document ID:FN64023

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	08-Sep-15	Initial Release
10.0	09-Oct-17	Migration to new field notice system

Products Affected

Affected OS Type	Affected Release	Affected Release Number	Comments
NON-IOS	8	8.5.5

Defect Information

Defect ID	Headline
CSCuv55540	Web Based Reputation Score (WBRS) ranges on ESA needs updating

Problem Description

The Suspect range used in the Email Security Appliance's (ESA's) URL reputation has been changed from (-5.9 to +5.9) to (-5.9 to -5.0).

Background

In ASYNCOS Version 8.5.5 for Email, Cisco introduced the URL Reputation feature in order to filter emails with URLs that fall into these four categories:

1. Malicious (-10 to -6.0)

2. Suspect (-5.9 to +5.9)

3. Clean (+6.0 to +10.0)

4. Custom range

On Thursday July 23, 2015 Cisco Threat Intelligence, through ongoing research and sensor information, realized that the current implementation of the Web Based Reputation Score (WBRS) service did not fully block malicious URL traffic. A decision was made to more aggressively block malicious URLs/domains. As a result of this change, a large numbers of URLs shifted score from the +3.0 to the -3.0 scoring.

Due to this recategorization, email messages which contain URLs that have changed the score might fall into other reputation ranges and might have been quarantined (or tagged, or any other action selected during configuration).

Problem Symptom

The change alters the behavior of the URL filtering on the ESAs if the default 'Suspect' range, or a custom range, is in use. These changes caused any of the message filters or content filters that use the URL Reputation condition to activate its action more frequently. The action can be 'tagging the message', 'quarantine', 'defang', BCC, 'drop', and so on.

Workaround/Solution

If the new definition of Suspect range feels uncomfortable and you want to keep the same range, you do not need to change anything in your configuration. If the number of email messages that have been quarantined (or tagged, or any other action selected during configuration) is too high and you want to adapt to the new Suspect range, complete these steps:

1. Browse to your Incoming Content Filters via Mail Policies > Incoming Content Filters. Review all Contents filters with a condition or action(s) that leverages the Suspect or Custom URL range:

Conditions:

URL Reputation     url-reputation(-5.90, 5.90 , "")

Actions:

URL Reputation     url-reputation-defang(-5.90, 5.90,"",0)

URL Reputation url-reputation-proxy-redirect(-5.90, 5.90,"",0)

URL Reputation url-reputation-replace(-5.90, 5.90,"myproxy.internal","",0)

2. Replace all identified actions or conditions with the new custom range:

Conditions:

URL Reputation     url-reputation(-5.90, -5.0 , "")

Actions:

URL Reputation     url-reputation-defang(-5.90, -5.0,"",0)

URL Reputation url-reputation-proxy-redirect(-5.90, -5.0,"",0)

URL Reputation url-reputation-replace(-5.90, -5.0,"myproxy.internal","",0)

3. Once the content filters changes are complete, commit all changes.

Example of a Message Filter

URL_categories: if url-reputation(-5.90, 5.9 , "")

{

url-reputation-defang(-5.90, 5.9,"",0);

url-reputation-proxy-redirect(-5.90, 5.9,"",0);

url-reputation-replace(-5.90, 5.9,"myproxy.internal","",0);

}

In order to change the existing message filter, complete these steps:

1. SSH into the appliance.

2. Enter the command filters.

3. Review the message filters that leverage the url-reputation, or have an action of url-reputation-defang, url-reputation-proxy-redirect, or url-reputation-replace.

4. Once the filter is identified, copy it to a text application.

5. Change all references to +5.9 to -5.0.

6. Enter the filters command again, follow the option of new, and paste your modified filter.

Example of a Changed Message Filter

URL_categories: if url-reputation(-5.90, -5.0 , "")

{

url-reputation-defang(-5.90, -5.0"",0);

url-reputation-proxy-redirect(-5.90, -5.0,"",0);

url-reputation-replace(-5.90, -5.0,"myproxy.internal","",0);

}

Once the message filters have been updated, commit all changes.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Email Virtual Gateway