The Cisco Secure Email Gateway/Cloud Gateway relies on several services with components and rules packages. Each of the services is maintained and updated via the Services Updater. The Services Updater reaches out each five (5) minutes to the Cisco Update Servers by default.
The Rules Updates for each service are reflected via their respective Security Services configuration section.
The main engine that controls the services and aggregates the rules is known as Context Adaptive Scanning EngineContext Adaptive Scanning Engine - Context Adaptive Scanning Engine (CASE) leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats. CASE helps Cisco record data that already exists as part of the mail delivery process. Customer data is then aggregated on the email gateway and sent to Cisco Talos Cloud service. (For more information, please see: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/215533-cisco-email-security-understanding-cont.html) (CASE). CASE feeds the following services:
- IronPort Anti-Spam
- Intelligent Multi-ScanIntelligent Multi-Scan - Intelligent Multi-scan (IMS) is an add-on license that provides additional anti-spam classification capabilities by combining the results of the multiple anti-spam classifier with the Cisco IPAS classifier in the Inbound and Premium Bundles. It increases the spam catch rate at the possible expense of a greater number of false positives. (IMS) and Graymail
- Outbreak Filters
In the Updater Logs (updater_logs), 'case' is the component name reflected for all three (3) services listed. Graymail has additional components seen by 'graymail' in the Updater Logs.
From the UI of your Gateway/Cloud Gateway, do the following:
- Security Services > Service Updates
- Scroll down to Automatic Updates
- Assure this is enabled
- Review the configured Update Interval
From the UI of your Gateway/Cloud Gateway, do the following to update any of the components and rules for the service. This example will use IronPort Anti-Spam:
- Security Services > IronPort Anti-Spam
- Review the Last Update timestamps
- Click Update Now
The other Security Services that rely on on-appliance engines will have the Update Now option.
The process may take a few minutes to sync with the Updater Service. Refresh the page after a few minutes to ensure the timestamps are updated.
If you have CLI access, you can issue the updatenow force command to give an update against ALL services at once. Then, running tail updater_logs, you will be able to see the process reach out to the Updater Service and perform the updates.
Likewise, for each component, there is the option to 'update.' In the example below, for IronPort Anti-Spam, antispamupdate is issued:
Or, you can run the 'force' update for the component. In the example below, for IronPort Anti-Spam, antispamupdate ironport force is issued:
Using the CLI is not a requirement. For more information on the command line for your version of AsyncOS, see: CLI Reference Guide
Note: Cloud Gateway customers that do not have command line access may request this to be enabled for their instance: Command Line Interface (CLI) Access
What is the difference between 'updatenow' and 'updatenow force'?
- 'updatenow' requests an update to all system service components.
- If 'force' parameter is used, update is performed even if no changes are detected.
My security policies do not allow me to directly reach the Updater Server. How do I work around the default configuration for updates?
- If you have a firewall and network limitations, please see: Content Security Appliance Downloads, Updates or Upgrades using a Static Host
- Cisco also offers Updates via local updater/upgrade host for Gateways on an isolated/secure network. Please reach out via a TAC case to get more information.
At this time, we have completed the following:
- Services Updates
- Validate Detection Services
- Review of Bypass, Accept, or Allow Lists
- Aggressive Profile for Anti-Spam
- Review and Validate MX Records
- Submissions to Talos
- Support Cases
- Security Review (Optional)
Once you have reviewed and updated the services, proceed to the next section of this document.
Updated 24 days ago