IronPort ESA Outbreak filters or rule bad?

BrianRoberson · ‎04-02-2018

ESA went nuts in the last thirty minutes and started quarantining email into outbreak quarantine. I'm guessing Cisco released a bad definition/rule?

Waiting on guidance from Cisco...

nicktang · ‎04-02-2018

mail being quarantined and deleted for reason "Scam: Fake Deal"

BrianRoberson · ‎04-02-2018

Exactly what I am seeing.

nickylee · ‎04-02-2018

we are seeing a similar issue - since about 6-7PM Pacific time

gmail addresses are being filtered, hotmail, cisco emails are not filtered

rmuirden@slv.vic.gov.au · ‎04-02-2018

We are seeing messages even from local servers (eg: internally generated messages which do get filtered by our ESA's) being quarantined with the SUSPICIOUS MESSAGE added to the subject line. It is driving our users crazy, and also creating delays as messages go into the outbreak quarantine.

It seems like it may be resolved now. Hopeflly!

nickylee · ‎04-03-2018

Seems to be resolved now as well.

Mathew Huynh · ‎04-03-2018

Hey Everyone,

I sincerely apologise for the issues noted.
You are correct at approximately 9:56PM EST on the 2nd of April - there was a new outbreak filter rule pushed out that was misfiring and causing the false positive matches.

TAC had engaged the Talos team for escalation to correct this and the fix was put forward on the early hours of 3rd of April.

Regards,
Matthew