I'm looking for some guidance on best practices around attachment blocking. In our old SMTP gateway firewall, we had an attachment blocking policy that blocked certain filetypes and sent a notification to the recipient. Users could request them to be released if they were expected. In the ESA, I'm accomplishing the same thing with a content filter/separate policy quarantine and it's working as expected. I'm noticing that the Outbreak filters are also catching most of them and duplicating them in the Outbreak quarantine.
1. We like control over when those attachments get released. What if after a day in the Outbreak quarantine they are automatically released to the user because they are "clean" but they really are not? The setting is still the default of one day maximum retention for viral attachments. Is there a way to ensure those attachments are never automatically released?
2. Is there a way to give the Outbreak filter priority over the Content filter? Since the Outbreak filters are pretty accurate at detecting the malicious attachments, it might be nice to keep them separated. That way they are hidden from our Service Desk and wouldn't be accidentally released. It would only be the attachments that make it past the Outbreak filters that the Blocked Attachment Content filter would be quarantining. From what I've seen, those are usually more from legitimate senders.
I'd love to hear how others handle these scenarios and what the general best practice is.
The function of Outbreak filters is to delay suspect threat emails from being delivered based on global traffic patters, and hence they are never used to block emails altogether. Also outreak filters rules trigger based on phishing and malicious URLs and not attachments alone.
Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the appliances receives updated outbreak information and rescans the message to confirm whether it’s part of an attack. Because quarantined messages are rescanned whenever new rules are published, it is very likely that messages in the Outbreak quarantine will be released prior to the expiration time.
The outbreak filters work at the end of workqueue processing and cannot be executed before content filters. The outbreak quarantine is a dynamic quarantine with a variable retention period and would release emails automatically based on global rule updates and rescan of the emails based on those rules, this is in order to prevent legitimate emails from being delayed.
The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages until they’re confirmed to be threats or it’s safe to deliver to users. Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines again if they’re enabled for the mail policy. Also note that the Outbreak Filters feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine a message (for further processing) or move the message along to the next step in the pipeline.
ESA FAQ: Outbreak Filters/Virus Outbreak Filters (VOF) FAQ http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118188-qanda-esa-00.html
The best method to block attachments would definately be using content/message filters as they allow you more control, you could choose to skip outbreak scanning for emails matching these content filters to prevent the same email from being sent to duplicate quarantines.
By "high confidence", I mean that I rarely see it give a false positive. Anything that's in another quarantine and has also gone to Outbreak can normally be deleted out of hand, but I don't make any effort to keep Outbreak clear; it sorts itself out.
If there's a threat that you're worried about (see the contemporary discussion on 7Z attachments, for example) then don't depend something like VOF or your preferred AV to deal with any actual malign code. Instead, ban the type, have a filter deal with occurrences and any exceptions and let your recipients know the policy.