cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1889
Views
5
Helpful
4
Replies

Issues with IronPort Intelligent Multi-Scan

Doug Maxfield
Level 1
Level 1
Good Morning, In the last month, we upgraded to ESA Cloud ver. 12. Since that time, we have noticed that IMS appears to be lots more aggressive in its scanning and valid messages that were received before are now being dropped as "Spam Positive". This is starting to cause some issues. We are using the default settings for IMS. Is anyone else experiencing these issues? If so, what have you done to fix them. I don't want to maintain a "Whitelist" as that can get very tedious. I have an open TAC on this but not getting much of a response from it. Thanks, Doug
4 Replies 4

gkumarj
Cisco Employee
Cisco Employee

Hi Doug,

IMS engine has changed in version 12.1 and hence there will be some changes. I would suggest opening a TAC case and submitting few email samples to get them analyzed with internal team after which issue should be resolved. I had a customer with similar issue, after getting the sample emails analyzed issue was resolved.

Rgds,

Gagan

Gagan,

We are well aware of the change to IMS in ver 12. We actually upgraded our Cloud ES early due to the problems that we were seeing with IMS in ver 11. I have a TAC opened to investigate IMS. TAC is 686877994. I also have 2 open cases on issues where IMS is flagging previous valid emails as both Spam and Suspected Spam (TAC # 686828810 and 686854906).

I can't believe that we're the only company that is having this problem with IMS in ver 12. I can continue opening TACs when we are notified by our Help Desk that there is an issue. But waiting a week or more to get results/changes done is feel is unacceptable. Whitelist for us is not an option as it's our policy not to do this. Especially since the email has been considered "HAM" for years.

 

Doug

Hi Cisco Community,

 

I wanted to share some of our experiences with IMS 12.1 latest.

 

We upgraded to IMS from traditional Ironport AntiSPAM during the 12.1 Beta program so we could compare effciency of the two engines between production and test.

 

In short IMS had a about 30% better crach rate for SPAM compared to traditional Ironport Antispam and during the ebat we had a very low level of false positives.

 

Well I can support teh statement that thigns have changed. We get about 4000 suspect SPAM messages per week and about 5-10% of them are false positives. We have tried to work with Cisco support to get them under better control but I am at a point now where I need answers:

 

a) What is the most common pattern why emails get triggered as suspected as I see none.

b) What option can we sue in the threshold settings to make it less agressive without breaking the logic. All beta testing was requested with default settings so would need guidance from TALOS on what to change.

c) Our previous Ironport AntiSOPAM settings have been even more agressive then default IMS but that would not work at all.

 

Happy to discuss with other impacted customers.

We have uplaoded so far 200+ samples for correction.

 

-Marc

Hello,

 

Thanks to everyone for the input.

 

Ultimately, you'll want to continue opening TAC cases and submitting the feedback to our Talos team. We've run into similar concerns in the past when we've tweaked and/or updated engines, and the only true resolution is to keep us informed so that we can make sure everything is optimized accordingly. Right now, there are internal conversations to make sure anything FN/FP IMS is taken with priority. Though, if you feel you're not getting proper feedback and are still seeing issues after opening the TAC case, I would highly recommend speaking with your AM/SE to make sure the case is moving in the right direction. I can assure you there are many people working to make sure this transition is as smooth as possible. 

 

Thanks!

-Dennis M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: