Outbreak Filters aim to protect end users and organizations from malicious attachments, phishing attempts, & malicious URLs sent via emails. The function of Outbreak Filters is to delay suspect/malicious emails from being delivered to the targeted recipients.
Messages become quarantined when they contain malicious content that do the following:
Meet or Exceed Outbreak rules
Meet or Exceed thresholds configured
Note that Outbreak Filters "quarantine" feature is legit a holding area where messages are stored/held until confirmation of whether or not the email is safe. The Outbreak Filters does not take any final action on emails. The actions are either:
Quarantine a message for further processing
Move message to next step in pipeline
It is important to understand how Outbreak Filter rules are written. All rules get published via Cisco's Security Intelligence Operations (SIO). This SIO aims at providing fast, strong protection. It is essentially an all encompassing bucket that contains global threat info, reputation-based services, and sophisticated analysis.
Futhermore, SIO has 3 main components:
SenderBase: vulnerability database
Talos: Cisco's team of security analysts and automated systems
Outbreak rules have a threat level. Threat levels essentially indicate the potential risk of a viral outbreak. These threat levels are based on the following actors:
Suspicious file activity
Input from anti-virus vendors
Analysis via SIO
Outbreak filters will allow you to increase/decrease the impact of threat levels. The overview of threat levels consist of:
Level 0 = Risk: None
Level 1 = Risk: Low
Level 2 = Risk: Low/Medium - The risk that the message is a threat is low to medium. It is a “suspected” threat.
Level 3 = Risk: Medium - Either the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.
Level 4 = Risk: High - Either the message is confirmed to be part of a large scale outbreak or its content is very dangerous.
Level 5 = Risk: Extreme - The message’s content is confirmed to part of an outbreak that is either extremely large scale or large scale and extremely dangerous.
Synopsis: Any message deemed as part of an outbreak are always quarantined until they are determined safe. This determination is based on updated outbreak information from Cisco and/or new anti-virus definitions that are published by Sophos or McAfee.
To further understand how/when Outbreak Filtering occurs during ESA message processing it is important to know that this occurs in the workqueue phase. The occurrence is near the end of the workqueue processing. Note that quarantining via Outbreak Filters is dynamic and contains a retention period. Emails can be destined for release automatically based on configured global rules and rescan of email rules. The purpose of the retention period is so that legit emails are not prevented/delayed.
For more on Email Pipeline & Email Security see the <esa> tag! Cheers!