01-14-2014 09:04 AM
Hi everybody,
I'm looking for advice to determine the maximum message size for Anti-spam and Outbreak scan.
I am currently using a scan size of 1M for Anti-spam and I will add Outbreak filter (more and more spam exceed my spam limit).
My equipment is an ESA C370 with AsyncOS 8.0.1.
I found in the documentation the following lines :
Always scan messages smaller than—The recommended value is 512 Kb or less [...] Cisco advises not to exceed 3 MB for the always scan message size.
Never scan messages larger than—The recommended value is 1024 Kb or less. [...] Cisco advises not to exceed 10 MB for the never scan message size.
For messages larger than the always scan size or smaller than the never scan size, a limited and faster scan is performed.
I didn't find any sentence about recommanded scan size for Outbreak...
Thank you for your help.
Best regards
01-16-2014 01:04 PM
This is a little older information - but, still would hold true --->
Currently, on the E-mail Security Appliance, the maximum scan size for IPAS is limited to 128K by default (the original default was 256K so many older appliance might have this set as the limit). Messages larger than this limit are not scanned by IPAS. Recently, Cisco IronPort did some extensive performance and efficacy testing on an average message load to determine the impact of increase scanning size on the E-mail Security Appliance.
The tests show that when raising the maximum scan size for IPAS the increase in efficacy is significant: a 256K maximum scan size yields a 24% decrease in missed spam, and a 512K maximum scan size yields a decrease of 35% in missed spam. However, there is a potential performance impact of 24% when going from a maximum scan size of 128K to 512K (depending on the type of hardware platform). The impact of going from a maximum scan size of 128K to 256K is 12%. See summary below:
128K -> 256K scan size limit:
12% possible performance reduction, 24% reduction in missed spam
128K -> 512K scan size limit:
24% possible performance reduction, 35% reduction in missed spam
Below table show the performance results of a medium mailbox with a 50:50 ratio of spam and ham. MPS is messages per second.
|
Recommendation and Performance measure:
The Cisco IronPort Security Applications Group recommends that all customers review their current stability and performance (see below for some tips on how to measure this) to determine if they can safely raise the maximum scan size for messages sent to IPAS (IronPort Anti-Spam Engine). It is also recommend that you take a phased approach to the increase. If maximum scan size for IPAS on your E-mail Security Appliance is currently set to 128K (131072), then first raise the maximum scan size to 256K (262144) and re-evaluate your stability and performance. If everything is stable then increase the scan size limit to 512K (524288).
Performance of an E-mail Security Appliance depends on the set of features enabled on the appliance such as anti-spam, anti-virus, message filters and content filters along with the load of the appliance based on the no. of msgs/sec scanned and maximum size of a message allowed.
The most effective way to monitor system capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation Mode. The System Capacity page under Monitor > System Capacity provides a detailed representation of the system load, including messages in the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.
The System Capacity - system load report shows the overall CPU usage on your IronPort appliance. AsyncOS is optimized to use idle CPU resources to improve message throughput. High CPU usage may not indicate a system capacity problem. If the high CPU usage is coupled with consistent, high-volume memory page swapping, you may have a capacity problem.
This page also shows a graph that displays the amount of CPU used by different functions, including mail processing, spam and virus engines, reporting, and quarantines. The CPU-by-function graph is a good indicator of which areas of the product use the most resources on your system. If you need to optimize your appliance, this graph can help you determine which functions may need to be tuned or disabled. The memory page swapping graph shows how frequently the system must page to disk.
If stability and performance does drop below acceptable limits, you might try a smaller increase. Any amount greater than the current setting will help efficacy and reduce missed spam. For instance, if 512K proves to be too much of a burden on your E-mail Security Appliance you might try a value of 384K (393216).
Hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide