Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community
Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info
1195
Views
0
Helpful
3
Replies
cryptochrome
Beginner
Beginner
‎02-24-2020 06:14 AM
‎02-24-2020 06:14 AM

Help me better understand Outbreak Filters

Hello ESA gods,

I have a couple of questions regarding Outbreak Filters that I can't wrap my head around, maybe you can help:

1. When emails leave the outbreak quarantine, I know the will be sent through the AV engine again. Will they also be sent through content filters again? Or would I have to use "send to alternate host" to send them back to ESA if I want to run them through content filters again?

2. When I enabled message modification, will this only apply to mails that are released from quarantine when the timer runs out? Or will messages also be modified when Cisco gives a "clean" verdict after a while?

3. Does message modification apply to "other threats" only or do they apply to viral attachments as well (e.g. if I add a disclaimer, will the disclaimer be added to both types of threats)?

 

Also, I am a bit surprised that I don't have all the options available that are available in URL filters, like link defang or link rewrite. This would be a welcome addition to the Outbreak feature set. 

Labels:
0 Helpful
3 REPLIES 3
tsilveruits
Beginner
Beginner
‎02-24-2020 08:01 AM
‎02-24-2020 08:01 AM

See Chapter 4 of the ESA Administration Guide, Understanding the Email Pipeline. That should help clarify. Also, the guide states, "Messages released from the Outbreak quarantine are re-scanned by the anti-spam, AMP, and anti-virus engines. See, About Rescanning of Quarantined Messages, in the ESA Administration Guide.

0 Helpful
cryptochrome
Beginner
Beginner
In response to tsilveruits
‎02-24-2020 08:45 AM
‎02-24-2020 08:45 AM

I have read that already, but it doesn't answer the questions I have. 

0 Helpful
charella
Cisco Employee
Cisco Employee
In response to cryptochrome
‎02-25-2020 10:54 AM
‎02-25-2020 10:54 AM

Hello cryptochrome,

Will Outbreak detected Mail be sent through content filters again? >>> NO
Would I have to use "send to alternate host" to send them back to ESA if I want to run them through content filters again? No Althost is too late to apply

The following steps may work for you.
Please use caution and consider your mail volume and load to your ESA.
Answer:

* The content filters would have been processed for the original message.
* The content filters will not process upon release.
*
* If that is not good enough, and you want to take some special action with a content filter or other action
*
* You can loop the released mail back into one of your ESA and process the mail flow as desired.
* This activity is dependent upon the volume of the flow and size of your environment. If you are pushing your machines beyond their limits, maybe skip this.


* Navigate to Incoming Mail Policies > Default > Outbreak Filters > (this applies based on each policy if you have multiple custom OF settings )
* Within outbreak filters, there is an option in the lower section of the configuration,
*
* Alternate Destination Mail Host (Other Threats only):
* The ip of. Your ESA interface that receives email
* Clarifying, this will deliver the released Outbreak messages back into your ESA.
* This settings is for NON viral categories, meaning the viral verdicts will not adhere to this action.
*
* Create a custom Sender Group
* Add the IP Address as a sender (critical step)
* Determine if you want the mail.
* Flow to be Accept or Relay
* Create a Mail Flow Policy
* Within the mail flow policy choose whether to scan spam, virus, amp. Remove any rejection restriction on failed spf/dkim/dmarc/ sender verification/dhap…. NOTHING to reject this mail from only 1 ip.
* If your desire is to process content filters, then other services may not need to be scanned (to preserve resources).
* Message Filter (optional)
* Customize it to skip scanning for unwanted services
* The primary rule will be the name of the custom Sender Group as the match rule > if sendergroup == "Your_sender_group_name" {action
* There are numerous actions to take such as - skip-ampcheck, skip-vofcheck, skip-viruscheck
* A google search for ‘ESA Message Filter Action” should provide you a list of options.
* The remaining processing would be performed based on normal mail processing.

============= Additional step if you want to add a header from Outbreak filters, then take action from a content filter.

* The same section above to add the IP Address within outbreak filters.
* Check the Outbreak Filters “Include the X-IronPort-Outbreak-Status headers:” – Enable for all messages
This selection will add a header to the email which can be actioned when it passes through the ESA a second time.

* Content filter Condition – Other Header
* Header Name: X-IronPort-Outbreak-Status
* Now you can take actions based on the header.

Good luck,


0 Helpful
Latest Contents
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad