Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2251
Views
0
Helpful
5
Replies

Outbreak filters (OF/VOF) released viral emails

Go to solution
vilca_neotech
Level 1
Level 1

‎02-25-2015 02:38 AM

Hello,

yestearday 24.2.2015 around 9:00 CET we were on the top of viral email attack. In less than one hour OF on the Ironport started to react on this attack. That's great. But at midnight all emails from OF quarantine from this attack was released as a clean messages. Together with OF we have a  Sophos on the Ironport. Here's the log of one email:

24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 matched per-recipient policy DEFAULT for inbound mail policies.
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 scanned by Anti-Spam engine: CASE. Final verdict: Negative
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 scanned by Outbreak Filters. Verdict: Positive
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 contains attachment 'xxxx@anything.somewhere'.
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 Virus Threat Level=3
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 contains attachment types zip
24 Feb 2015 09:24:38 (GMT +00:00)Message 286265 quarantined to Outbreak by Outbreak Filters rule. OUTBREAK_0013689
24 Feb 2015 17:47:19 (GMT +00:00)Message 286265 quarantined in Outbreak by Virus Outbreak Filters rule. OUTBREAK_0013699
24 Feb 2015 17:57:24 (GMT +00:00)Message 286265 quarantined in Outbreak by Virus Outbreak Filters rule. OUTBREAK_0013689
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 released from quarantine Outbreak after 49140 seconds. Reason: rescanned.
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 released from all quarantines.
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 matched per-recipient policy DEFAULT for inbound mail policies.
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 scanned by Anti-Spam engine: CASE. Final verdict: Negative
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
24 Feb 2015 23:03:38 (GMT +00:00)Message 286265 queued for delivery.

 

Yesterday at 12:00 CET I reported virus to the Sophos because the virus is not recognized by Sophos. I recieved this answer:

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

From today morning I'm going thou Ironport configuration, forums, reading best practices but I can't find any useful information what's wrong. Why OF together with Sophos released viral emails. We have an Ironports for seven years and this is my first real problem with email scanning. In fact the mail should be stopped by VOF, antispam or antivirus. There's three engines which should react. I'm shocked. I hope that I have some misconfiguration on the Ironport. 

I would be happy for any idea. Thank you.

 

EDIT:

2x C170 with 8.5.6-092

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-25-2015 03:05 AM

Hello ,

It is rather unfortunate to hear of this occurring for you.

With regards to why it was released as clean, VOF rules are handled by the CASE team (IronPort Anti-spam) so the rules may not be in direct correlation to Sophos definition on their viral scanners.

 

VOF filter rules will be pushed out by the spam team on the sensory data and many other variables, and new rules are published often based on the sensory data, which is likely why it was rescanned and it was deemed as clean.

 

As per Anti-spam scanners not capturing the emails, this can come down to other variables as well, if the emails are still being passed as legitimate emails despite the contents then I would advise you to open a TAC case if possible and provide us the sample so we can have this sorted for you to have new spam rules written to capture these types of emails as spam.

 

It would not likely be a configuration issue if there was no changes -- i'd say generally it would be the tools were not having the definitions available at the time.

 

Please feel free to provide further feedback if you have other questions.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-25-2015 03:05 AM

Hello ,

It is rather unfortunate to hear of this occurring for you.

With regards to why it was released as clean, VOF rules are handled by the CASE team (IronPort Anti-spam) so the rules may not be in direct correlation to Sophos definition on their viral scanners.

 

VOF filter rules will be pushed out by the spam team on the sensory data and many other variables, and new rules are published often based on the sensory data, which is likely why it was rescanned and it was deemed as clean.

 

As per Anti-spam scanners not capturing the emails, this can come down to other variables as well, if the emails are still being passed as legitimate emails despite the contents then I would advise you to open a TAC case if possible and provide us the sample so we can have this sorted for you to have new spam rules written to capture these types of emails as spam.

 

It would not likely be a configuration issue if there was no changes -- i'd say generally it would be the tools were not having the definitions available at the time.

 

Please feel free to provide further feedback if you have other questions.

0 Helpful

Go to solution
vilca_neotech
Level 1
Level 1
In response to Mathew Huynh

‎02-25-2015 04:26 AM

Hello Matthew,

thank you for your quick answer. I'm afraid of this answer and I'm little scary from this:

"VOF rules are handled by the CASE team (IronPort Anti-spam) so the rules may not be in direct correlation to Sophos definition on their viral scanners"

I'm wonder if I can check the VOF rules somewhere. I tried senderbase pages and Cisco pages but without luck.

I'm using Ironport Outlook add-in for marking the emails as spam, phishing of virus. Make it sense? Is some team using these information? 

Thank you for your support.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to vilca_neotech

‎02-25-2015 05:43 PM

Hello,


Sorry for the delay in my response, I sent that email before i went to bed last night.

As per your follow up.

 

The VOF rules can be 'checked' to a certain degree under the command

CLI > outbreakstatus

 

This will list a set of rules with sensory information such as unusual amounts of certain types of files, and such which can be triggered on VOF scanning.


But detailed information is kept as it's proprietary information.

Senderbase will not list the rules in full detail as if these rules were publicly available to be seen, spammers will take advantage of this and find ways around current rule sets being pushed out proactively.

 

The outlook add-in on your system for flagging these emails, when you do send a submission it will go to our database where our automated systems will re-classify emails based on the type of submission to the best of the automated processes abilities.

 

However if for some reason it cannot reclassify an email (possibly content if completely unknown) then a TAC case may be required to escalate it to the rule writing team further

 

But your submissions do get to us, and it is being used by the spam team from automated system to manual humans writing out rules.

 

Regards,

Matty

0 Helpful

Go to solution
vilca_neotech
Level 1
Level 1
In response to Mathew Huynh

‎03-03-2015 01:14 AM

Hi Matty,

thank you for clarification. I'm little scary from the OF, because it's not under control and I just must believe. WHat's more we're not an english speaking country and small in fact so I'm affraid we're not important to Cisco and this problem will occur again.

Anyway thank you very much for your support.

Regards,

Martin 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to vilca_neotech

‎03-03-2015 02:38 AM

Hey Martin,

 

While i do see in some instances VOF rules may be aggressive; as it acts as an adaptive scanning for live updates on traffic and sensors of suspicious behaviour -- if it continues to happen, we can surely assist you with this.

 

WHat's more we're not an english speaking country and small in fact so I'm affraid we're not important to Cisco and this problem will occur again.

 

I really do hope that you have not been treated that way to say the least when you've opened cases, as we would treat anyone's concerns as our own and try to the best of our abilities to assist.

As such, I wish you do not feel that way and be afraid :) We're here to help.

 

But the first stage for further assistance should this be recurring where VOF rules may have aggressively scanned the emails -- do open a case and we'll be more than happy to have it looked at for you.

 

Thanks for your updates,

Matty

 

 

0 Helpful
Customers Also Viewed These Support Documents