Threat Scanner

❗️

False Positives - September 2023

Please see the current announcement regarding ThreatScanner False Positives.

Your email gateway is now more secure with:

• Improved HTML parsing and malicious script detection
• Improved URL parsing and redirection detection

📘

Release Notes

Email Gateway (On-premises HW and Virtual) customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Gateway. If you have an Email and Web Manger, Release Notes for AsyncOS 15.0 for Cisco Secure Email and Web Manager.

Cloud Gateway customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Cloud Gateway, Release Notes for AsyncOS 15.0 for Cisco Secure
Email and Web Manager (Cloud)

Perform the following configuration steps to use this feature:

1. Enable the Graymail service engine globally on your email gateway in any one of the following ways:
   • Web Interface: Navigate to Security Services > IMS and Graymail page and select the Enable Graymail Detection checkbox under Graymail Global Settings
   • CLI: Use the graymail > setup sub command and type yes for the "Would you like to use Graymail Detection? [Y]>" statement
2. Enable the Anti-spam service engine for the required incoming mail policy as follows:
   • Navigate to Mail Policies > Incoming Mail Policies page on the web interface.
   • Click the Disabled link under 'Anti-Spam' in the 'Policies' field.
   • Select the Use IronPort Anti-Spam service or Use IronPort Intelligent Multi-Scan option buttons, whichever is applicable, to enable Anti-Spam scanning for the mail policy.
   • Select the required action - 'deliver,' 'drop,' 'spam quarantine,' or 'bounce,' whichever is applicable, to apply to Positively-Identified Spam Settings.
   • [Optional]: Perform any other required Anti-Spam configuration settings.
   • Click Submit and commit your changes.

Mail Logs

A new verdict - ThreatScanner Spam Positive is added in Message Tracking and Mail Logs to indicate that the message is categorized as “spam” due to improved threat detection. The recommended Anti-Spam policy action for ThreatScanner Spam Positive verdict is Quarantine.

Example Mail Log:

Thu Sep 14 11:55:42 2023 Info: MID 9321 interim ThreatScanner verdict - PHISHING (101) <Message detected as phishing either by heuristic analysis or by detecting the link as fraudulent>
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim verdict using engine: CASE spam negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim verdict using engine: ThreatScanner spam positive
Thu Sep 14 11:55:43 2023 Info: MID 9321 using engine: CASE spam negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim AV verdict using Sophos CLEAN
Thu Sep 14 11:55:43 2023 Info: MID 9321 antivirus negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 AMP file reputation verdict : SKIPPED (no attachment in message)
Thu Sep 14 11:55:43 2023 Info: MID 9321 using engine: GRAYMAIL negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 Outbreak Filters: verdict negative

Graymail Logs

The Graymail logs with spam cause and scoring data are available at Information log levels.

False Positives

Unfortunately, we have found that customers have encountered false positives from ThreatScanner. While we work to improve the accuracy of this new scanning engine, we have made the decision to disable any action being taken on these verdicts for our CES customers.

To this end, during the CES US maintenance window (September 21, 2023 20:00 PM [GMT -5]) Cisco will be rolling out a configuration change across CES to disable taking action against ThreatScanner positive messages.

Those still on 14x and are upgrading to 15.0x after the September 21, 2023 window – (customer or working with Support) would need to disable manually if they wish ThreatScanner to be disabled post upgrade.

If you have any urgent questions about this maintenance or the possible impact, please contact Cisco TAC: http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Please keep up-to-date by using https://status.ces.cisco.com/.

On-premises customers (HW and/or Virtual) and CES customers with CLI access may view the ThreatScanner action with the following CLI command:

(Machine esa1.hc1234-56.iphmx.com)> imsandgraymailconfig

NOTICE: This configuration command has not yet been configured for the current cluster mode (Machine esa1.hc3033-47.iphmx.com).

What would you like to do?
1. Switch modes to edit at mode "Main_Cluster".
2. Start a new, empty configuration at the current mode (Machine esa1.hc1234-56.iphmx.com).
3. Copy settings from another cluster mode to the current mode (Machine esa1.hc1234-56.iphmx.com).
[1]>


Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
- CLUSTERSET - Set how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
- CLUSTERSHOW - Display how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
[]> graymail

Graymail Detection: Enabled

Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]> antispamaction

Action Status: Enabled
Do you want to disable action on threats detected by graymail engine? [Y]> y

Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]>


Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
- CLUSTERSET - Set how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
- CLUSTERSHOW - Display how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
[]>

(Cluster Main_Cluster)> commit

Please enter some comments describing your changes:
[]> Disabled Graymail > Antispam Action

Changes committed: Thu Sep 21 14:08:58 2023 EDT

Please be sure that you issue Commit to save your configuration changes.

After you have committed the configuration change, the action status will change to:

Action Status: Disabled

Cisco recommends adding a content filter to match the ‘X-ThreatScanner-Verdict: Positive’ header and perform a less aggressive action such as quarantine to a policy quarantine or deliver to an alternate recipient.

Other Header:

- Header Name: X-ThreatScanner-Verdict
- Header Value:
  - Equals: Positive

Please open TAC Service Request and submit falsely convicted samples from this quarantine/action, along with the mail logs and graymail logs for the message.

FAQ

Q: Why are ThreatScanner actions logged in Graymail?

• ThreatScanner runs as a component of the Graymail engine and rules. This is a new feature as of AsyncOS 15.0.
• You can see the current Graymail status with the following:

(Cluster Main_Cluster)> graymailstatus

This command is restricted to "machine" mode.  Would you like to switch to "machine" mode? [Y]>

Choose a machine.
1. esa1.hc1234-56.iphmx.com (group Main_Group)
2. esa2.hc1234-56.iphmx.com (group Main_Group)
[1]> 1

Component            Version         Last Updated
Graymail Engine      01.426.00       21 Aug 2023 21:39 (GMT +00:00)
Graymail Rules       01-426.186#119  21 Sep 2023 18:16 (GMT +00:00)
Graymail Tools       7.0-002         24 Aug 2023 12:45 (GMT +00:00)

Q: Can I view or make configuration changes for ThreatScanner via the Gateway UI?

• No. This new feature is intended to improve efficacy with-in the Gateway. Configuration for ThreatScanner is currently only available to customers running AsyncOS 15.0 and using the CLI. Due to these restrictions, that is why CES customers are notified of the change of action, and this is configured as such. On-premises customers may perform the configuration change as shown via CLI-only.