Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2176
Views
0
Helpful
4
Replies

Outbreak Filters/Blocked Attachment Best Practice

Tim Jackson
Level 1
Level 1

‎12-13-2016 08:46 AM

Hello,

I'm looking for some guidance on best practices around attachment blocking. In our old SMTP gateway firewall, we had an attachment blocking policy that blocked certain filetypes and sent a notification to the recipient. Users could request them to be released if they were expected. In the ESA, I'm accomplishing the same thing with a content filter/separate policy quarantine and it's working as expected. I'm noticing that the Outbreak filters are also catching most of them and duplicating them in the Outbreak quarantine.

1. We like control over when those attachments get released. What if after a day in the Outbreak quarantine they are automatically released to the user because they are "clean" but they really are not? The setting is still the default of one day maximum retention for viral attachments. Is there a way to ensure those attachments are never automatically released? 

2. Is there a way to give the Outbreak filter priority over the Content filter? Since the Outbreak filters are pretty accurate at detecting the malicious attachments, it might be nice to keep them separated. That way they are hidden from our Service Desk and wouldn't be accidentally released. It would only be the attachments that make it past the Outbreak filters that the Blocked Attachment Content filter would be quarantining. From what I've seen, those are usually more from legitimate senders.

I'd love to hear how others handle these scenarios and what the general best practice is.

Thanks,

Tim

Labels:
0 Helpful
4 Replies 4

Libin Varghese
Cisco Employee
Cisco Employee

‎12-13-2016 09:49 AM

Hi Tim,

The function of Outbreak filters is to delay suspect threat emails from being delivered based on global traffic patters, and hence they are never used to block emails altogether. Also outreak filters rules trigger based on phishing and malicious URLs and not attachments alone.

Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the appliances receives updated outbreak information and rescans the
message to confirm whether it’s part of an attack. Because quarantined messages are rescanned whenever new rules are published, it is very likely that messages in the Outbreak quarantine will be released prior to the expiration time.

The outbreak filters work at the end of workqueue processing and cannot be executed before content filters. The outbreak quarantine is a dynamic quarantine with a variable retention period and would release emails automatically based on global rule updates and rescan of the emails based on those rules, this is in order to prevent legitimate emails from being delayed.

The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages until they’re confirmed to be threats or it’s safe to deliver to users. Messages released from the Outbreak quarantine are scanned by the anti-virus and anti-spam engines again if they’re enabled for the mail policy. Also note that the Outbreak Filters feature does not take any final actions on messages. The Outbreak Filters feature will either quarantine a message (for further processing) or move the message along to the next step in the pipeline.

ESA FAQ: Outbreak Filters/Virus Outbreak Filters (VOF) FAQ
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118188-qanda-esa-00.html

The best method to block attachments would definately be using content/message filters as they allow you more control, you could choose to skip outbreak scanning for emails matching these content filters to prevent the same email from being sent to duplicate quarantines.

Regards
Libin Varghese

0 Helpful

exMSW4319
Level 3
Level 3
In response to Libin Varghese

‎12-14-2016 04:41 AM

In my experience also, VOF is a high-confidence filter.

I've changed my Outbreak default action to Delete in case of a flood attack.

0 Helpful

Tim Jackson
Level 1
Level 1
In response to exMSW4319

‎12-14-2016 07:11 AM

How long do you have the maximum retention set for? I'm just a little scared solely relying on the VOF in case it releases an attachment automatically that turns out to be malicious.

0 Helpful

exMSW4319
Level 3
Level 3
In response to Tim Jackson

‎12-15-2016 06:59 AM

Retention is set by the rule in question.

By "high confidence", I mean that I rarely see it give a false positive. Anything that's in another quarantine and has also gone to Outbreak can normally be deleted out of hand, but I don't make any effort to keep Outbreak clear; it sorts itself out.

If there's a threat that you're worried about (see the contemporary discussion on 7Z attachments, for example) then don't depend something like VOF or your preferred AV to deal with any actual malign code. Instead, ban the type, have a filter deal with occurrences and any exceptions and let your recipients know the policy.

0 Helpful
Customers Also Viewed These Support Documents