cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1668
Views
1
Helpful
3
Replies

Help me better understand Outbreak Filters

cryptochrome
Level 1
Level 1

Hello ESA gods,

I have a couple of questions regarding Outbreak Filters that I can't wrap my head around, maybe you can help:

1. When emails leave the outbreak quarantine, I know the will be sent through the AV engine again. Will they also be sent through content filters again? Or would I have to use "send to alternate host" to send them back to ESA if I want to run them through content filters again?

2. When I enabled message modification, will this only apply to mails that are released from quarantine when the timer runs out? Or will messages also be modified when Cisco gives a "clean" verdict after a while?

3. Does message modification apply to "other threats" only or do they apply to viral attachments as well (e.g. if I add a disclaimer, will the disclaimer be added to both types of threats)?

 

Also, I am a bit surprised that I don't have all the options available that are available in URL filters, like link defang or link rewrite. This would be a welcome addition to the Outbreak feature set. 

3 Replies 3

tsilveruits
Level 1
Level 1

See Chapter 4 of the ESA Administration Guide, Understanding the Email Pipeline. That should help clarify. Also, the guide states, "Messages released from the Outbreak quarantine are re-scanned by the anti-spam, AMP, and anti-virus engines. See, About Rescanning of Quarantined Messages, in the ESA Administration Guide.

I have read that already, but it doesn't answer the questions I have. 

Hello cryptochrome,

Will Outbreak detected Mail be sent through content filters again? >>> NO
Would I have to use "send to alternate host" to send them back to ESA if I want to run them through content filters again? No Althost is too late to apply

The following steps may work for you.
Please use caution and consider your mail volume and load to your ESA.
Answer:

* The content filters would have been processed for the original message.
* The content filters will not process upon release.
*
* If that is not good enough, and you want to take some special action with a content filter or other action
*
* You can loop the released mail back into one of your ESA and process the mail flow as desired.
* This activity is dependent upon the volume of the flow and size of your environment. If you are pushing your machines beyond their limits, maybe skip this.


* Navigate to Incoming Mail Policies > Default > Outbreak Filters > (this applies based on each policy if you have multiple custom OF settings )
* Within outbreak filters, there is an option in the lower section of the configuration,
*
* Alternate Destination Mail Host (Other Threats only):
* The ip of. Your ESA interface that receives email
* Clarifying, this will deliver the released Outbreak messages back into your ESA.
* This settings is for NON viral categories, meaning the viral verdicts will not adhere to this action.
*
* Create a custom Sender Group
* Add the IP Address as a sender (critical step)
* Determine if you want the mail.
* Flow to be Accept or Relay
* Create a Mail Flow Policy
* Within the mail flow policy choose whether to scan spam, virus, amp. Remove any rejection restriction on failed spf/dkim/dmarc/ sender verification/dhap…. NOTHING to reject this mail from only 1 ip.
* If your desire is to process content filters, then other services may not need to be scanned (to preserve resources).
* Message Filter (optional)
* Customize it to skip scanning for unwanted services
* The primary rule will be the name of the custom Sender Group as the match rule > if sendergroup == "Your_sender_group_name" {action
* There are numerous actions to take such as - skip-ampcheck, skip-vofcheck, skip-viruscheck
* A google search for ‘ESA Message Filter Action” should provide you a list of options.
* The remaining processing would be performed based on normal mail processing.

============= Additional step if you want to add a header from Outbreak filters, then take action from a content filter.

* The same section above to add the IP Address within outbreak filters.
* Check the Outbreak Filters “Include the X-IronPort-Outbreak-Status headers:” – Enable for all messages
This selection will add a header to the email which can be actioned when it passes through the ESA a second time.

* Content filter Condition – Other Header
* Header Name: X-IronPort-Outbreak-Status
* Now you can take actions based on the header.

Good luck,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: