Just trying to tune my image analysis settings on 2xC350's but just wondering whats some decent settings as I'm getting false positives alot, like a sheet of paper with writing on it, or a mother holding a baby or a wall with damage on it..
Image Analysis Sensitivity:50
CLEAN0 - 49
SUSPECT 50 -79
INAPPROPRIATE 80 - 100
Do I have to keep buming the sensitivity down? Can anyone give some decent insight into this module...
Assuming the C3650 uses the same code as our C150, see my earlier thread Image Analysis - Causes of Unscannable Result (11th Jan).
As far as I can tell, IA uses a simple chromatic check that delivers a high verdict whenever it sees a flesh tone juxtaposed with a dark colour. In a run-off it proved no better or worse than JroEbbg Image Filtering and ZrffntrYnof Image Control (do we openly refer to competing products here?) though it did tend more toward false positives than the others. We run our C150 on the default "clean 0-49, suspect 50-74, inappropriate 75-100" as advised by our vendor, and I should point out that my test set was very small (note to self: must download more test data!)
On Asyncos 6.5.3 we don't have a sensitivity control, so either you have a later version or there is some extra feature in the C350.
If it's present in your settings, don't forget to experiment with the Minimum Image Size parameter; ours is set to 100 pixels. This operates on the largest dimension of the image and in my opinion IronPort missed a trick here; it would be more useful it it operated on the shortestdimension so as to ignore all the banner strapline graphics that can cause false positives.
If you implement IA I think you have to accept that there will be a certain amount of intervention required - one suggestion is to farm this out to some luckless HR staff rather than shoulder the burden in-department. If that's not possible, simply alt-rcpt-to the positive verdicts over to a suitable store that you can spot-check at intervals before emptying. It's more of a defense against an ongoing culture of smut-trading and time-wasting than an absolute block against all things pornographic.
If I ever write an end-user notification for IA, I swear that I'll try to get away with having the thing impersonating an imp telling the sender it's run out of pink.
I'm running v7.0.1-010 on the C350's but sadly yea, I tend to get alot of stupid false positives and I've flicked this off onto second line to check over every now and then, I've also setup a content filter that alerts the user that a block has taken place supplying time/date , from, and subject in the body.
The main problem I tend to find is that there are not many people that have the image analysis module and google returns no results for best practice with it
I cant understand how some of the false postives are getting tagged tbh, like I'll have a white wall that some one put a hole in it.. or a pipe with some rust on it or a picture of some kids, gotta be some of the worst tagging ever.
Oh well guess I'll just have to keep playing around, thanks for the settings.... and I totally hear ya on test material, oh what a nightmare that was going out and finding stuff to test with , I had no shortage of volunteers to help find stuff to test with lol.
I hope I'm belaboring the obvious, but do make sure that you handle each verdict separately. "Unscannable" proved to be so unreliable that in the end we just turned that rule off. By contrast "Inappropriate" is worth checking, though it may be difficult to find the time to do so.
It's easy to grumble about the false positive rate, but if your original risk analysis showed that the IA option was worth buying (and our vendor kindly made an evaluation key available so we knew what we were getting into) then the case for image checking still exists. If checking every hit is too onerous, see my earlier suggestions for other ways of approaching the task.
We are testing IA on C350s and a C360, with ASynchOS patched to latest version. If you check my thread, you will see the way that we have decided to deal with false positives, i.e.
BCC to other mail account for periodic review
Strip image and deliver
Allow user Self Service to release Email with Stripped images if required, giving suitable warning
I have got about 3-4% false positives from testing so far (I think this is a little low), but am doing more today. E.g. 11 out of 300 images quarantined in 150 email batch. Of the 11, 1 was unscannable, 10 were false positives, 6 of which were 75+. All images were not business related, mostly child photos, all of which I can understand as there was alot of flesh tone except one which was a family photo of a graduation which was odd. We have used default config so far. I would be interested to hear how you got on with sensitivity etc or anything else you think I might find interesting.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :