Services Updates

Efficacy Guide using Cisco Secure Email

Validate Services and Rules Updates

The Cisco Secure Email Gateway/Cloud Gateway relies on several services that run with components and rules packages. Each of the services are maintained and updated via the Services Updater. By default, the Services Updater reaches out each five (5) minutes to the Cisco Update Servers.

The Rules Updates for each service are reflected via their respective Security Services configuration section via the UI.

The main engine that controls the services and aggregates the rules is known as Context Adaptive Scanning EngineContext Adaptive Scanning Engine - Context Adaptive Scanning Engine (CASE) leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats. CASE helps Cisco record data that already exists as part of the mail delivery process. Customer data is then aggregated on the email gateway and sent to Cisco Talos Cloud service. (For more information, please see: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/215533-cisco-email-security-understanding-cont.html) (CASE). CASE feeds the following services:

  • IronPort Anti-Spam
  • Intelligent Multi-ScanIntelligent Multi-Scan - Intelligent Multi-scan (IMS) is an add-on license that provides additional anti-spam classification capabilities by combining the results of the multiple anti-spam classifier with the Cisco IPAS classifier in the Inbound and Premium Bundles. It increases the spam catch rate at the possible expense of a greater number of false positives. (IMS) and Graymail
  • Outbreak Filters

📘

Note

In the Updater Logs (update_logs), 'case' is component name reflected for all three (3) of services listed. Graymail has additional components which are seen by 'graymail' in the Updater Logs.

From the UI of your Gateway/Cloud Gateway, do the following:

  1. Security Services > Service Updates
  2. Scroll down to Automatic Updates
  3. Assure this is enabled
  4. Review the configured Update Interval
Note: Cluster: Hosted_Cluster as this is Cloud GatewayNote: Cluster: Hosted_Cluster as this is Cloud Gateway

Note: Cluster: Hosted_Cluster as this is Cloud Gateway

From the UI of your Gateway/Cloud Gateway, do the following to update any of the components and rules for the service. This example will use IronPort Anti-Spam:

  1. Security Services > IronPort Anti-Spam
  2. Review the Last Update timestamps
  3. Click Update Now

The other Security Services that rely on on-appliance engines will have the Update Now option.

📘

Note

The process may take a few minutes to sync with the Updater Service. Refresh the page after a few minutes to assure the timestamps are updated.

Note: Cluster: Hosted_Cluster as this is Cloud GatewayNote: Cluster: Hosted_Cluster as this is Cloud Gateway

Note: Cluster: Hosted_Cluster as this is Cloud Gateway

If you have CLI access, you can issue the updatenow force command to issue an update against ALL services at once. Running tail updater_logs, you will be able to see the process reach out to the Updater Service and perform the updates.

CLI example using 'updatenow force'CLI example using 'updatenow force'

CLI example using 'updatenow force'

Likewise, for each individual component, there is the option to 'update'. In the example below, for IronPort Anti-Spam, antispamupdate is issued:

CLI example using 'antispamupdate'CLI example using 'antispamupdate'

CLI example using 'antispamupdate'

Or, you can run 'force' update for the component. In the example below, for IronPort Anti-Spam, antispamupdate ironport force is issued:

CLI example using 'antispamupdate ironport force'CLI example using 'antispamupdate ironport force'

CLI example using 'antispamupdate ironport force'

Using the CLI is not a requirement. For more information on command line for your version of AsyncOS, see: CLI Reference Guide

Note: Cloud Gateway customers that do not have command line access may request this to be enabled for their instance: Command Line Interface (CLI) Access

FAQ

What is the difference between 'updatenow' and 'updatenow force'?
  • 'updatenow' requests an update to all system service components.
  • If 'force' parameter is used, update is performed even if no changes are detected.
My security policies do not allow me to directly reach the Updater Server. How do I work around the default configuration for updates?

Guide Checklist

At this time, we have completed the following:

  • Introduction
  • Services Updates
  • Validate Detection Services
  • Review of Bypass, Accept, or Allow Lists
  • Aggressive Profile for Anti-Spam
  • Review and Validate MX Records
  • Submissions to Talos
  • Support Cases
  • Security Review (Optional)

Once you have reviewed and updated the services, proceed on to the next section of this document.


Did this page help you?