Managing outbreaks
This chapter includes the following topics:
■ About outbreak management
■ About outbreak triggers
■ About defining what constitutes an outbreak
About outbreak management
An outbreak situation occurs when an excessive number of viruses or events that exhibit virus-like behavior occur on a network. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical.
Symantec Mail Security lets you manage outbreaks by doing the following:
■ Specify the criteria for an outbreak. These criteria consist of the event being monitored and the number of times that the event must occur during a specified time interval.
■ Define the email notifications to send to administrators when the criteria for an outbreak are met.
■ End the outbreak event once the situation has been managed.
About outbreak triggers
The set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger only monitors one type of event and defines an outbreak as the frequency of the specified event within a given time period.
152 Managing outbreaks About outbreak triggers
For example, one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour. Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes.
If you have configured multiple outbreak triggers and a message is received that violates more than one of them, Symantec Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule will be triggered.
Outbreak triggers apply only to Auto-Protect scans.
Enabling outbreak management
Outbreak management is enabled by default. You can specify the interval during which you want to check for outbreaks. By default, the interval is set to every two minutes. At least one outbreak trigger must be enabled for outbreak management to work.
See“Enabling and disabling outbreak triggers” on page 153.
To enable outbreak management
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, check Enable Outbreak Management.
4 In the Check for Outbreaks every ___ minutes box, accept the default (2) or type the interval in minutes to wait between checks for viruses or
occurrences of a specified file behavior.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Clearing outbreak notifications
You can end outbreak notifications at any time. Otherwise, the notifications will continue until the outbreak is no longer in effect.
To clear outbreak notifications
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
153 Managing outbreaks About outbreak triggers
Enabling and disabling outbreak triggers
You can enable and disable the individual outbreak triggers and set them to notify administrators of an outbreak. If you disable Outbreak Management, the trigger settings are retained.
To enable or disable an outbreak trigger
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, select a trigger to enable or disable. Click the entry (Enabled or Disabled) in the left column and select Enabled or Disabled from the menu.
4 Check Notify Administrator if you want to notify administrators upon activation of the outbreak trigger.
For administrators to receive email notifications of an outbreak, the notification email address must be valid.
See“Configuring notifications and alerts” on page 70.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Enabling or disabling content enforcement rules
The Same subject and Same attachment name outbreak triggers contain content enforcement rules that you can enable and disable. You can also edit these rules. To edit content enforcement rules, see “Configuring content enforcement” on page 76.
To enable or disable content enforcement rules 1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, in the Same subject or Same attachment name line, click View Rule to view and enable or disable the content enforcement rules associated with the trigger.
4 In the dialog box, ensure that Enable content filtering is checked.
5 In the dialog box, select the rule that you want to enable or disable. Click the entry in the Enable column and select Enabled or Disabled from the menu.
6 Check Update Match List (if available) if you want to automatically add the attachment name or subject to the Outbreak Triggered Names Matchlist or Outbreak Triggered Subjects Matchlist when a trigger is activated.
154 Managing outbreaks
About defining what constitutes an outbreak
7 Click Close.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring outbreak notifications
Outbreak has a notification feature that can be modified to suit your organization.
To configure outbreak notifications
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the lower pane, under Initial Notification, accept the default or type new Subject Line and Message Body text to be used in the administrator notification.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
SeeTable 3-5, “Replacement variables for alerts and notifications,” on page 65.
4 Under Subsequent Notifications, accept the default or type new Subject Line and Message Body text to be used in the administrator notification.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
SeeTable 3-5, “Replacement variables for alerts and notifications,” on page 65.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
About defining what constitutes an outbreak
When defining an outbreak, you must specify the number of occurrences of the monitored item that are necessary to trigger the outbreak and the time span within which the occurrences can take place.
Although there are no standard numbers to use when specifying frequencies, you should take into consideration the threat potential of the event category that is being monitored, the size of your mail system, the amount of mail that is typically processed, and the stringency with which you want to define an outbreak.
155 Managing outbreaks About defining what constitutes an outbreak
As your outbreak triggers are tested, you should fine-tune the values that you use. Notifications are issued whenever an outbreak trigger is activated. The notifications are re-issued every two minutes, or at the interval you have chosen, while the outbreak condition remains. You should adjust the threshold to strike a balance between catching outbreaks and issuing notifications based on incorrect identification of an outbreak.
If a string property such as an attachment name is selected as a monitored item for an outbreak, Symantec Mail Security stores in memory every attachment name that it scans for the specified time span. Once the time span elapses, the attachment names (or other specified string property) are no longer held in memory.
Adjusting time parameters to define outbreaks
You can adjust the time period that defines a string of events as an outbreak.
To adjust outbreak time parameters
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, do one or more of the following:
■ To adjust the number of occurrences of an event, click the entry in the
Occurrences column and type a new value in the box.
■ To adjust the time interval in which the event will occur to trigger an outbreak, click the entry in the Time column and type a new value in the box.
■ To adjust the units of time defined by the Time column, click the entry
in the Unit column and select Minutes, Hours, or Days from the menu.
156 Managing outbreaks