The Outbreak Filters feature uses three tactics to protect your users from outbreaks:

• Delay. Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the appliances receives updated outbreak information and rescans the message to confirm whether it’s part of an attack.

  Note	If a spam positive message is identified as outbreak positive by Outbreak Filters, the message is not sent to Outbreak Quarantine.

• Redirect. Outbreak Filters rewrites the URLs in non-viral attack messages to redirect the recipient through the Cisco web security proxy if they attempt to access any of the linked websites. The proxy displays a splash screen that warns the user that the website may contain malware, if the website is still operational, or displays an error message if the website has been taken offline. See Redirecting URLs for more information on redirecting URLs.
• Modify. In addition to rewriting URLs in non-viral threat messages, Outbreak Filters can modify a message’s subject and add a disclaimer above the message body to warn users about the message’s content. See Modifying Messages for more information.

The Outbreak Filters feature provides protection from two categories of message-based outbreaks: virus outbreaks , which are messages with never-before-seen viruses in their attachments, and non-viral threats , which includes phishing attempts, scams, and malware distribution through links to an external website.

By default, the Outbreak Filters feature scans your incoming and outgoing messages for possible viruses during an outbreak. You can enable scanning for non-viral threats in addition to virus outbreaks if you enable anti-spam scanning on the appliance .

Note	Your appliance needs a feature key for Anti-Spam or Intelligent Multi-Scan in order for Outbreak Filters to scan for non-viral threats.

Cisco Security Intelligence Operations (SIO) is a security ecosystem that connects global threat information, reputation-based services, and sophisticated analysis to appliances to provide stronger protection with faster response times.

SIO consists of three components:

• SenderBase. The world’s largest threat monitoring network and vulnerability database.
• Threat Operations Center (TOC). A global team of security analysts and automated systems that extract actionable intelligence gathered by SenderBase.
• Dynamic Update. Real-time updates automatically delivered to appliances as outbreaks occur.

SIO compares real-time data from the global SenderBase network to common traffic patterns to identify anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of the possible outbreak. The appliances download updated threat levels and Outbreak Rules and use them to scan incoming and outgoing messages, as well as messages already in the Outbreak quarantine.

Information about current virus outbreaks can be found on SenderBase’s website here:

http://www.senderbase.org/

The SIO website provides a list of current non-viral threats, including spam, phishing, and malware distribution attempts:

http://tools.cisco.com/security/center/home.x

Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats.

For virus outbreaks, CASE analyzes the message content, context and structure to accurately determine likely Adaptive Rule triggers. CASE combines Adaptive Rules and the real-time Outbreak Rules published by SIO to evaluate every message and assign a unique threat level.

To detect non-viral threats, CASE scans messages for URLs and uses Outbreak Rules from SIO to evaluate a message’s threat level if one or more URLs are found.

Based on the message’s threat level, CASE recommends a period of time to quarantine the message to prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message while it is quarantined.

CASE also rescans messages when they’re released from the quarantine. A message can be quarantined again if CASE determines that it is spam or contains a virus upon rescan.

For more information about CASE, see Cisco Anti-Spam: an Overview.

The period between when an outbreak or email attack occurs and when software vendors release updated rules is when your network and your users are the most vulnerable. A modern virus can propagate globally and a malicious website can deliver malware or collect your users’ sensitive information during this period. Outbreak Filters protects your users and network by quarantining suspect messages for a limited period of time, giving Cisco and other vendors time to investigate the new outbreak.

When a virus outbreak occurs, suspicious messages with attachments are quarantined until updated Outbreak Rules and new anti-virus signatures prove the email’s attachment is clean or a virus.

Small scale, non-viral threats contain URLs to malicious websites that may be online for a short period of time in order to evade detection by web security services or through URL shortening services in order to circumvent web security by putting a trustworthy website in the middle. By quarantining messages containing URLs that meet your threat level threshold, not only does CASE have the opportunity to reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can remain in the quarantine long enough that the linked website may go offline or be blocked by a web security solution.

See Dynamic Quarantine for more information on how Outbreak Filters quarantine suspicious messages.

When CASE scans a message at the Outbreak Filters stage, it searches for URLs in the message body in addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the message is a threat and then scores the message with the appropriate threat level. Depending on the threat level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak. See URL Rewriting and Bypassing Domains for more information on bypassing URLs for trusted domains.

After the appliance releases and delivers the message, any attempt by the recipient to access the website is redirected through the Cisco web security proxy. This is an external proxy hosted by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the website is still operational. If the website has been taken offline, the splash screen displays an error message.

If the recipient decides to click the message’s URLs, the Cisco web security proxy displays a splash screen in the user’s web browser to warn the user about the content of the message. The following figure shows an example of the splash screen warning. The recipient can either click Ignore this warning to continue on to the website or Exit to leave and safely close the browser window.

The only way to access the Cisco web security proxy is through a rewritten URL in a message. You cannot access the proxy by typing a URL in your web browser.

Note	You can customize the appearance of this splash screen and display your organization’s branding such as company logo, contact information, and so on. See Customizing the Notification That End Users See If a Site Is Malicious.

Tip	To redirect all URLs in suspected spam messages to the Cisco Web Security proxy service, see Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example.

The Outbreak Filters feature modifies the message body of a non-viral threat message not only to rewrite the URLs but to alert the user that the message is a suspected threat. The Outbreak Filters feature can modify the subject header and add a disclaimer about the message’s content above the message body. See Message Modification for more information.

The threat disclaimer is created using the Disclaimer template through the Mail Policies > Text Resources page. See Overview of Text Resource Management for more information.

Two types of rules are used by Outbreak Filters to detect potential outbreaks: Adaptive and Outbreak. The Outbreak Filters feature uses these two rule sets to provide the highest efficacy and the most focused set of criteria for threat detection to ensure that filters can be laser focused on a particular outbreak. The Outbreak Filters rules and actions are visible to the administrator, not hidden away behind the scenes, providing instant access to quarantined messages and the reason why they were quarantined.

A Outbreak Filter rule is basically a Threat Level (e.g. 4) associated with a set of characteristics for an email message and attachment — things such as file size, file type, file name, message content, and so on. For example, assume the Cisco SIO notices an increase in the occurrences of a suspicious email message carrying a .exe attachment that is 143 kilobytes in size, and whose file name includes a specific keyword (“hello” for example). An Outbreak Rule is published increasing the Threat Level for messages matching this criteria. Your appliance checks for and downloads newly published Outbreak and Adaptive Rules every 5 minutes by default (see Updating Outbreak Filter Rules). Adaptive Rules are updated less frequently than Outbreak Rules. On the appliance , you set a threshold for quarantining suspicious messages. If the Threat Level for a message equals or exceeds the quarantine threshold, the message is sent to the Outbreak quarantine area. You can also set up a threshold for modifying non-viral threat messages to rewrite any URLs found in suspicious messages or add a notification at the top of message body.

The following table provides a basic set of guidelines or definitions for each of the various levels.

For more information about threat levels and outbreak rules, see Outbreak Filters Rules.

When a new virus attack or non-viral threat is released into the wild, no anti-virus or anti-spam software is able to recognize the threat yet, so this is where the Outbreak Filters feature can be invaluable. Incoming messages are scanned and scored by CASE using the published Outbreak and Adaptive Rules (see Types of Rules: Adaptive and Outbreak). The message score corresponds with the message’s threat level. Based on which, if any, rules the message matches, CASE assigns the corresponding threat level. If there is no associated threat level (the message does not match any rules), then the message is assigned a threat level of 0.

Once that calculation has been completed, the appliance checks whether the threat level of that message meets or exceeds your quarantine or message modification threshold value and quarantines message or rewrites its URLs. It the threat level is below the thresholds, it will be passed along for further processing in the pipeline.

Additionally, CASE reevaluates existing quarantined messages against the latest rules to determine the latest threat level of a message. This ensures that only messages that have a threat level consistent with an outbreak message stay within the quarantine and messages that are no longer a threat flow out of the quarantine after an automatic reevaluation.

In the case of multiple scores for an outbreak message — one score from an Adaptive Rule (or the highest score if multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest score if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the final threat level.

It is possible to use the Outbreak Filters feature without having enabled anti-virus scanning on the appliance . The two security services are designed to complement each other, but will also work separately. That said, if you do not enable anti-virus scanning on your appliance , you will need to monitor your anti-virus vendor’s updates and manually release or re-evaluate some messages in the Outbreak quarantine. When using Outbreak Filters without anti-virus scanning enabled, keep the following in mind:

• You should disable Adaptive Rules
• Messages will get quarantined by Outbreak Rules
• Messages will get released if the threat level is lowered or time expires

Downstream anti-virus vendors (desktops/groupware) may catch the message on release.

Note	Anti-spam scanning needs to be enabled globally on an appliance for the Outbreak Filters feature to scan for non-viral threats.

The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages until they’re confirmed to be threats or it’s safe to deliver to users. (See Outbreak Lifecycle and Rules Publishing for more information.) Quarantined messages can be released from the Outbreak quarantine in several ways. As new rules are downloaded, messages in the Outbreak quarantine are reevaluated based on a recommended rescan interval calculated by CASE. If the revised threat level of a message falls under the quarantine retention threshold, the message will automatically be released (regardless of the Outbreak quarantine’s settings), thereby minimizing the time it spends in the quarantine. If new rules are published while messages are being re-evaluated, the rescan is restarted.

Please note that messages quarantined as virus attacks are not automatically released from the outbreak quarantine when new anti-virus signatures are available. New rules may or may not reference new anti-virus signatures; however, messages will not be released due to an anti-virus engine update unless an Outbreak Rule changes the threat level of the message to a score lower than your Threat Level Threshold.

Messages are also released from the Outbreak quarantine after CASE’s recommended retention period has elapsed. CASE calculates the retention period based on the message’s threat level. You can define separate maximum retention times for virus outbreaks and non-viral threats. If CASE’s recommended retention time exceeds the maximum retention time for the threat type, the appliance releases messages when the maximum retention time elapses. For viral messages the default maximum quarantine period is 1 day. The default period for quarantining non-viral threats is 4 hours. You can manually release messages from the quarantine.

The appliance also releases messages when the quarantine is full and more messages are inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine is at 100% capacity, and a new message is added to the quarantine. At this point, messages are released in the following order of priority:

• Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
• Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)

Overflow releases stop the moment the Outbreak quarantine is below 100% capacity. For more information about how quarantine overflow is handled, see Retention Time for Messages in Quarantines and Default Actions for Automatically Processed Quarantined Messages.

Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines again if they’re enabled for the mail policy. If it is now marked as a known virus or spam, then it will be subject to your mail policy settings (including a possible second quarantining in the Virus quarantine or Spam quarantine). For more information, see The Outbreak Filters Feature and the Outbreak Quarantine.

Thus it is important to note that in a message's lifetime, it may actually be quarantined twice — once due to the Outbreak Filters feature, and once when it is released from the Outbreak quarantine. A message will not be subject to a second quarantine if the verdicts from each scan (prior to Outbreak Filters, and when released from the Outbreak quarantine) match. Also note that the Outbreak Filters feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine a message (for further processing) or move the message along to the next step in the pipeline.

Outbreak Rules are published by the Cisco Security Intelligence Operations and your appliance checks for and downloads new outbreak rules every 5 minutes. You can change this update interval. SeeConfiguring Server Settings for Downloading Upgrades and Updates for more information.

The Outbreak Filters feature has settings that can be set per mail policy. The Outbreak Filters feature can be enabled or disabled for each mail policy on the appliance . Specific file extensions and domains can be exempted from processing by the Outbreak Filters feature, per mail policy. This functionality is also available via the policyconfig CLI command (see the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances ).

Note	Anti-Spam or Intelligent Multi-Scan scanning needs to be enabled globally on an appliance for the Outbreak Filters feature to scan for non-viral threats.

To modify the Outbreak Filters feature settings for a specific mail policy, click the link in the Outbreak Filters column of the policy to change.

To enable and customize the Outbreak Filters feature for a particular mail policy, select Enable Outbreak Filtering (Customize Settings).

You can configure the following Outbreak Filter settings for a mail policy:

• Quarantine threat level
• Maximum quarantine retention time
• Deliver non-viral threat messages immediately without adding them to quarantine
• File extension types for bypassing
• Message modification threshold
• Alter subject header using custom text and Outbreak Filter variables such as $threat_verdict , $threat_category , $threat_type , $threat_description , and $threat_level .
• Include the following email headers:
  • X-IronPort-Outbreak-Status
  • X-IronPort-Outbreak-Description
• Send the message to an alternate destination such as an appliance or an exchange server.
• URL rewriting
• Threat disclaimer

Select Enable Outbreak Filtering (Inherit Default mail policy settings) to use the Outbreak Filters settings that are defined for the default mail policy. If the default mail policy has the Outbreak Filters feature enabled, all other mail policies use the same Outbreak Filter settings unless they are customized.

Once you have made your changes, commit your changes.

Messages quarantined by the Outbreak Filters feature are sent to the Outbreak quarantine. This quarantine functions like any other quarantine (for more information about working with quarantines, see Policy, Virus, and Outbreak Quarantines) except that it has a “summary” view, useful for deleting or releasing all messages from the quarantine, based on the rule used to place the message in the quarantine (for Outbreak Rules, the Outbreak ID is shown, and for Adaptive Rules, a generic term is shown). For more information about the summary view, see Outbreak Quarantine and the Manage by Rule Summary View.

The Outbreak Filters report to view the current status and configuration of Outbreak Filters on your appliance as well as information about recent outbreaks and messages quarantined due to Outbreak Filters. View this information on the Monitor > Outbreak Filters page. For more information, see the “Email Security Monitor” chapter.

The overview and rules listing provide useful information about the current status of the Outbreak Filters feature. View this information via the Security Services > Outbreak Filters page.

Use the outbreak quarantine to monitor how many messages are being flagged by your Outbreak Filters threat level threshold. Also available is a listing of quarantined messages by rule. For information, see Outbreak Quarantine and the Manage by Rule Summary View and Policy, Virus, and Outbreak Quarantines

The Outbreak Filters feature supports two different types of notifications: regular AsyncOS alerts and SNMP traps.

SNMP traps are generated when a rule update fails. For more information about SNMP traps in AsyncOS, see the “Managing and Monitoring via the CLI” chapter.

AsyncOS has two types of alerts for the Outbreak Filter feature: size and rule

AsyncOS alerts are generated whenever the Outbreak quarantine’s size goes above 5, 50, 75, and 95 of the maximum size. The alert generated for the 95% threshold has a severity of CRITICAL, while the remaining alert thresholds are WARNING. Alerts are generated when the threshold is crossed as the quarantine size increases. Alerts are not generated when thresholds are crossed as the quarantine size decreases. For more information about alerts, see Alerts.

AsyncOS also generates alerts when rules are published, the threshold changes, or when a problem occurs while updating rules or the CASE engine.

Use the checkbox on the Manage Quarantine page for the Outbreak quarantine to notify Cisco of misclassifications.

Bypassed file types are only excluded if a message’s only attachment is of that type, or in the case of multiple attachments, if the other attachments do not yet have existing rules. Otherwise the message is scanned.

Message and content filters are applied to messages prior to scanning by Outbreak Filters. Filters can cause messages to skip or bypass the Outbreak Filters scanning.