Threat Scanner for HTML threats
Improved Efficacy to Detect Threats
Your email gateway is now more secure with:
- Improved HTML parsing and malicious script detection
- Improved detection of HTML smuggling attacks
Release Notes
Email Gateway (On-premises HW and Virtual) customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Gateway. If you have an Email and Web Manger, Release Notes for AsyncOS 15.0 for Cisco Secure Email and Web Manager.
Cloud Gateway customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Cloud Gateway, Release Notes for AsyncOS 15.0 for Cisco Secure
Email and Web Manager (Cloud)
Perform the following configuration steps to use this feature:
- Enable the Graymail service engine globally on your email gateway in any one of the following ways:
- Web Interface: Navigate to Security Services > IMS and Graymail page and select the Enable Graymail Detection checkbox under Graymail Global Settings
- CLI: Use the graymail > setup sub command and type yes for the "Would you like to use Graymail Detection? [Y]>" statement
- Enable the Anti-spam service engine for the required incoming mail policy as follows:
- Navigate to Mail Policies > Incoming Mail Policies page on the web interface.
- Click the Disabled link under 'Anti-Spam' in the 'Policies' field.
- Select the Use IronPort Anti-Spam service or Use IronPort Intelligent Multi-Scan option buttons, whichever is applicable, to enable Anti-Spam scanning for the mail policy.
- Select the required action - 'deliver,' 'drop,' 'spam quarantine,' or 'bounce,' whichever is applicable, to apply to Positively-Identified Spam Settings.
- [Optional]: Perform any other required Anti-Spam configuration settings.
- Click Submit and commit your changes.
Mail Logs
A new verdict - ThreatScanner Spam Positive is added in Message Tracking and Mail Logs to indicate that the message is categorized as “spam” due to improved threat detection. The recommended Anti-Spam policy action for ThreatScanner Spam Positive verdict is Quarantine.
Example Mail Log:
Thu Sep 14 11:55:42 2023 Info: MID 9321 interim ThreatScanner verdict - PHISHING (101) <Message detected as phishing either by heuristic analysis or by detecting the link as fraudulent>
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim verdict using engine: CASE spam negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim verdict using engine: ThreatScanner spam positive
Thu Sep 14 11:55:43 2023 Info: MID 9321 using engine: CASE spam negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 interim AV verdict using Sophos CLEAN
Thu Sep 14 11:55:43 2023 Info: MID 9321 antivirus negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 AMP file reputation verdict : SKIPPED (no attachment in message)
Thu Sep 14 11:55:43 2023 Info: MID 9321 using engine: GRAYMAIL negative
Thu Sep 14 11:55:43 2023 Info: MID 9321 Outbreak Filters: verdict negative
Graymail Logs
The Graymail logs with spam cause and scoring data are available at Information log levels.
Support
If you have any urgent questions about this maintenance or the possible impact, please contact Cisco TAC: http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Please keep up-to-date by using https://status.ces.cisco.com/.
On-premises customers (HW and/or Virtual) and CES customers with CLI access may view the ThreatScanner action with the following CLI command:
(Machine esa1.hc1234-56.iphmx.com)> imsandgraymailconfig
NOTICE: This configuration command has not yet been configured for the current cluster mode (Machine esa1.hc3033-47.iphmx.com).
What would you like to do?
1. Switch modes to edit at mode "Main_Cluster".
2. Start a new, empty configuration at the current mode (Machine esa1.hc1234-56.iphmx.com).
3. Copy settings from another cluster mode to the current mode (Machine esa1.hc1234-56.iphmx.com).
[1]>
Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
- CLUSTERSET - Set how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
- CLUSTERSHOW - Display how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
[]> graymail
Graymail Detection: Enabled
Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]> antispamaction
Action Status: Enabled
Do you want to disable action on threats detected by graymail engine? [Y]> y
Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]>
Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
- CLUSTERSET - Set how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
- CLUSTERSHOW - Display how IronPort Intelligent Multi-Scan and Graymail settings are configured in a cluster.
[]>
(Cluster Main_Cluster)> commit
Please enter some comments describing your changes:
[]> Disabled Graymail > Antispam Action
Changes committed: Thu Sep 21 14:08:58 2023 EDT
Please be sure that you issue Commit to save your configuration changes.
After you have committed the configuration change, the action status will change to:
Action Status: Disabled
Cisco recommends adding a content filter to match the ‘X-ThreatScanner-Verdict: Positive’ header and perform a less aggressive action such as quarantine to a policy quarantine or deliver to an alternate recipient.
Other Header:
- Header Name: X-ThreatScanner-Verdict
- Header Value:
- Equals: Positive
Please open TAC Service Request and submit falsely convicted samples from this quarantine/action, along with the mail logs and graymail logs for the message.
FAQ
Q: Why are ThreatScanner actions logged in Graymail?
- ThreatScanner runs as a component of the Graymail engine and rules. This is a new feature as of AsyncOS 15.0.
- You can see the current Graymail status with the following:
(Cluster Main_Cluster)> graymailstatus
This command is restricted to "machine" mode. Would you like to switch to "machine" mode? [Y]>
Choose a machine.
1. esa1.hc1234-56.iphmx.com (group Main_Group)
2. esa2.hc1234-56.iphmx.com (group Main_Group)
[1]> 1
Component Version Last Updated
Graymail Engine 01.426.00 21 Aug 2023 21:39 (GMT +00:00)
Graymail Rules 01-426.186#119 21 Sep 2023 18:16 (GMT +00:00)
Graymail Tools 7.0-002 24 Aug 2023 12:45 (GMT +00:00)
Q: Can I view or make configuration changes for ThreatScanner via the Gateway UI?
- No. This new feature is intended to improve efficacy with-in the Gateway. Configuration for ThreatScanner is currently only available to customers running AsyncOS 15.0 and using the CLI. Due to these restrictions, that is why CES customers are notified of the change of action, and this is configured as such. On-premises customers may perform the configuration change as shown via CLI-only.
Updated 6 months ago