Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi,
We have an incoming content filter that is used to quarantine suspicious mails, based on Attachment name, sender, and body content dictionaries, as well as a couple of other items.
These have grown over time, particularly with the recent macro ma...
Good Morning, We are currently seeing a massive increase in malware contained in Word Document macros, these are dropping through the ESA until CASE catches up, and there are no AV signatures for these files at the time of drop.I've analysed these fi...
Good Morning,We've recently seen malware executables, in archive files, dropping through the ESA, even though there is a policy to quarantine all executables. I suspect it's because the archives are an unusual type - ARJ - and may be specifically des...
Hi,We have a requirement to block sites with certificate errors, self-signed/out of date/unrecognised authority etc., which makes sense from a security perspective.The business, however, want to whitelist certain third-party sites that we must access...
Hi,
One other thing to note the feeds are TOR exit nodes IPs not URLs, and not necessarily entry points.
I agree with the previous comment - the best option is the security intelligence block.
Regards,Ed
Hi Jon,
I've done the following for systems that generate false positives for single rules, but I don't trust completely so still want the rest of the rules to apply.
Firstly edit the rule to create a new Local rule that excludes the IP, in this exam...
Hi Bryan,The basic answer from Cisco was that the ESA can't do that, and suggested using AMP, which while now integrated with the ESA range is a hefty extra cost. To me it looks like further development in the security aspects of the ESA has pretty m...
