Cisco ASA CSC SSM (Trend Micro) has too many false positives

Unanswered Question
Jul 1st, 2010
User Badges:

Hello people. I allready asked this question in the Anandtech-forum, but I could still use an answer:


(..) I could really use some advice about the Trend Micro module. The spam filtering seems to have only 3 levels, but even when I set the used method to 'low' as opposed to 'medium' it still has too many false positives.


We don't have a Smartnet-contract yet and are now using the CSC SSM version 6.3.1172.0 release. Will spam filtering improve when using version 6.3.1172.3? Or do you have any other advice on how to get less false positives? All false positives are being blocked by pattern recognition (fyi).

(http://forums.anandtech.com/showthread.php?p=29950895)


Hopefully someone here can provide some advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 07/01/2010 - 05:24
User Badges:
  • Cisco Employee,

Certainly update it to 6.3.1173.3.pkg.  You can download it here: http://tools.cisco.com/squish/E56f81


Regarding too many false positive.  You need to follow the following procedure and submit the e-mail to Trend Micro so, they can look into it.


Here is the instruction on how to submit SPAM.


1. The spam emails should be saved as .MSG or .EML format
2. The spam sample should be the original mail, not forwarded mails since
forwarded mails do not contain the original
    mail contents and may contain customer related information that could
lead to False Positives.
3. Original spam mail can be obtained by the following steps below:
    > Create a folder
    > Drag all undetected spam samples to the created folder
    > Place the undetected spam samples in a zip file and password-protect
it using the word "novirus" without the quotes
    > Send the zip file


Here are the email addresses on where to send the samples:


[email protected]  - Undetected spam sample submission mailbox
[email protected]  - Legitimate mail tagged as spam submission
mailbox


Note:  Customers will not get a reply.


Please be informed that TrendMicro has a large collection of Honeypots for
collecting new and emerging spam threats. Once samples are received, they
are automatically sent to our automated spam processing team.


-KS

Case72EST Thu, 07/01/2010 - 05:37
User Badges:

Hello kusankar,


Thx for the advice, but no can do.


The false positives e-mail is now deleted, since tagging it with a keyword would flood our users inboxes. The CSC SSModule has only 2 options: delete or tag, no method to save the mail. So submitting it to Trend Micro is impossible.


As far as downloading the new software goes: "We don't have a Smartnet-contract yet (..)"


Are you sure that upgrading the software will do some good?


Offcourse it's allways best to have the latest software, but to pay smartnet for a product that just isn't up to the task is wasted money. It would then be best to just get smartnet for just the Cisco ASA, leave out the module and find a different anti-spam solution.

Actions

This Discussion