Re: AsynOS 13.5: Are you kidding, Cisco? You are creating a massive security threat!

cryptochrome · ‎08-24-2020

I just read through the AsyncOS release notes and stumbeled across this:

Prior to this release, if a spam positive message is identified as outbreak positive by Outbreak Filters, the message was sent to Outbreak Quarantine. After you upgrade to this release, if a spam positive message is identified as outbreak positive by Outbreak Filters, the message is not sent to Outbreak Quarantine.

I hope you are not being serious here, Cisco? Messages released from the Spam Quarantine proceed directly to the destination queue, skipping any further work queue processing in the email pipeline. With this change, spam mails that could potentially be harmful outbreaks, phishing attacks etc. will no longer be scanned. End users releasing these mails from their spam quarantine -> disaster waiting to happen.

Please comment, Cisco. Thank you.

charella · ‎08-24-2020

Hello cryptochrome,

Reply to: Prior to this release, if a spam positive message is identified as outbreak positive by Outbreak Filters, the message was sent to Outbreak Quarantine. After you upgrade to this release, if a spam positive message is identified as outbreak positive by Outbreak Filters, the message is not sent to Outbreak Quarantine.
---------
Outbreak explanations can be confusing with multiple references using similar terminology.

There are 2 parts of Outbreak Filters:

* Viral/Malicious
* TOF (Threat Outbreak Filters) or Other. Simply put NOT virus… such as Spam, Phishing, Scam
------------- This portion of the release notes is in reference to the second… TOF

1. Outbreak TOF action is taken based on the Antispam verdicts. Positive, Suspect, or Negative.
2. Post Outbreak quarantine and final determination, the action is taken based on “That ESA’s specific incoming mail policy” spam settings.

* Example: 1st pass through the system = spam positive | TOF positive > final result is spam positive action.

i. This specific scenario, the same outcome whether the resources are consumed or not.

*

1. Talos has determined through extended analysis, that if the messages scored Spam Positive, it will score Outbreak TOF positive.

* It does not benefit anything to retain the message for an hour when the ESA already plans to drop it.

The benefit of the quarantine for TOF, would come into play if a message was:

1. First scan > spam negative or spam suspect, TOF Outbreak Positive…. 55 minutes in quarantine > Final Scan Outbreak Positive, the message would take the action configured for Spam Positive and drop(if configured.)

This new redesigned version of Outbreak Filters for 13.5.1 ESA has incorporated major innovation and redisign incorporated to boost effectiveness and improve detection!

This release also includes redesigns to the following services, improving responsiveness and adaptability.
SBRS Score
URL Filters
Outbreak Filters TOF
Service Logs

I hope this assisted with your question.
Thank you,

cryptochrome · ‎08-24-2020

Thanks @charella, but I still have an issue with your given example:

* Example: 1st pass through the system = spam positive | TOF positive > final result is spam positive action.

In this case, a positively identified phish would end up in spam. From where it can be released by the end user.

I guess I don't understand how Cisco can mix up all these terms (as per your TOF description: Spam, Phishing, Scam) and treat them equally. A spam is an annoyance, a phish poses a real threat. Yet it's treated the same as spam and can easily end up in a user's mailbox. Sorry for being blunt, but that is pretty bad design, if you ask me.

To make matters worse, regarding to your documentation, mails released from the spam quarantine are going straight to the delivery queue, skipping the work queue. In other words, released spams are neither checked for viruses again (regardless of how long that mail was kept in the spam quarantine) nor is it run against outbreak filters again. I would consider this behavior a bug and vulnerability.