Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anti-spam / Outbreak scan size

Hi everybody,

I'm looking for advice to determine the maximum message size for Anti-spam and Outbreak scan.

I am currently using a scan size of 1M for Anti-spam and I will add Outbreak filter (more and more spam exceed my spam limit).

My equipment is an ESA C370 with AsyncOS 8.0.1.

I found in the documentation the following lines :

Always scan messages smaller than—The recommended value is 512 Kb or less [...] Cisco advises not to exceed 3 MB for the always scan message size.

Never scan messages larger than—The recommended value is 1024 Kb or less. [...] Cisco advises not to exceed 10 MB for the never scan message size.

For messages larger than the always scan size or smaller than the never scan size, a limited and faster scan is performed.

I didn't find any sentence about recommanded scan size for Outbreak...

Thank you for your help.

Best regards

  • Email Security
Everyone's tags (3)
1 REPLY
Cisco Employee

Anti-spam / Outbreak scan size

This is a little older information - but, still would hold true --->

Currently, on the E-mail Security Appliance, the maximum scan size for IPAS is limited to 128K by default (the original default was 256K so many older appliance might have this set as the limit).  Messages larger than this limit are not scanned by IPAS.  Recently, Cisco IronPort did some extensive performance and efficacy testing on an average message load to determine the impact of increase scanning size on the E-mail Security Appliance.

The tests show that when raising the maximum scan size for IPAS the increase in efficacy is significant: a 256K maximum scan size yields a 24% decrease in missed spam, and a 512K maximum scan size yields a decrease of 35% in missed spam.  However, there is a potential performance impact of 24% when going from a maximum scan size of 128K to 512K (depending on the type of hardware platform).  The impact of going from a maximum scan size of 128K to 256K is 12%.  See summary below:

             128K -> 256K scan size limit:
                     12% possible performance reduction, 24% reduction in missed spam
             128K -> 512K scan size limit:
                     24% possible performance reduction, 35% reduction in missed spam

Below table show the performance results of a medium mailbox with a 50:50 ratio of spam and ham. MPS is messages per second.

 

128K (Baseline)

MPS

256K/

MPS

% diff with baseline

512K/ MPS

% diff with baseline

768K/ MPS

% diff with baseline

1M/ MPS

% diff with baseline

C100

3.45

3.1

10.14%

2.93

15.07%

2.82

18.26%

2.75

20.29%

C150

5.25

4.72

10.10%

4.4

16.19%

4.4

16.19%

4.27

18.67%

C160

12.5

11.1

11.20%

10.4

16.80%

9.99

20.08%

9.79

21.68%

C300

4.42

4.08

7.69%

3.87

12.44%

3.74

15.38%

3.67

16.97%

C350

11.8

10.5

11.02%

9.94

15.76%

9.55

19.07%

9.39

20.42%

C360

30

27

10.00%

25

16.67%

24

20.00%

24

20.00%

C370

29

26

10.34%

23

20.69%

22

24.14%

22

24.14%

C600

8.8

7.86

10.68%

7.46

15.23%

7.17

18.52%

7.06

19.77%

C650

25

22

12.00%

20

20.00%

19

24.00%

19

24.00%

C660

43

38

11.63%

35

18.60%

33

23.26%

33

23.26%

X1000

11.3

10.1

10.62%

9.61

14.96%

9.27

17.96%

9.12

19.29%

X1050

45

40

11.11%

37

17.78%

35

22.22%

35

22.22%

X1060

51

45

11.76%

41

19.61%

40

21.57%

39

23.53%

X1070

59

52

11.86%

48

18.64%

46

22.03%

45

23.73%

Recommendation and Performance measure:

The Cisco IronPort Security Applications Group recommends that all customers review their current stability and performance (see below for some tips on how to measure this) to determine if they can safely raise the maximum scan size for messages sent to IPAS (IronPort Anti-Spam Engine).  It is also recommend that you take a phased approach to the increase.  If maximum scan size for IPAS on your E-mail Security Appliance is currently set to 128K (131072), then first raise the maximum scan size to 256K (262144) and re-evaluate your stability and performance.  If everything is stable then increase the scan size limit to 512K (524288).

Performance of an E-mail Security Appliance depends on the set of features enabled on the appliance such as anti-spam, anti-virus, message filters and content filters along with the load of the appliance based on the no. of msgs/sec scanned and maximum size of a message allowed.

The most effective way to monitor system capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation Mode. The System Capacity page under Monitor > System Capacity provides a detailed representation of the system load, including messages in the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The System Capacity - system load report shows the overall CPU usage on your IronPort appliance. AsyncOS is optimized to use idle CPU resources to improve message throughput. High CPU usage may not indicate a system capacity problem. If the high CPU usage is coupled with consistent, high-volume memory page swapping, you may have a capacity problem.

This page also shows a graph that displays the amount of CPU used by different functions, including mail processing, spam and virus engines, reporting, and quarantines. The CPU-by-function graph is a good indicator of which areas of the product use the most resources on your system. If you need to optimize your appliance, this graph can help you determine which functions may need to be tuned or disabled. The memory page swapping graph shows how frequently the system must page to disk.

If stability and performance does drop below acceptable limits, you might try a smaller increase.  Any amount greater than the current setting will help efficacy and reduce missed spam.  For instance, if 512K proves to be too much of a burden on your E-mail Security Appliance you might try a value of 384K (393216).

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

2483
Views
0
Helpful
1
Replies