You want to know what event(s) will trigger an Outbreak alert in Symantec Mail Security for Microsoft Exchange.
The default subject line (this can be modified) is:
Administrator Alert: Symantec Mail Security is detecting a possible virus outbreak
(The following information can also be found in the Symantec™ Mail Security for Microsoft® Exchange Server 200x Implementation Guide)
About the criteria that defines an outbreak You can specify the number of occurrences of an event that must occur within a specified time frame to define an outbreak. Although there are no standard numbers to use when specifying frequencies, take into consideration the following:
Threat potential of the event category that is being monitored
Size of your mail system
Amount of email that is typically processed
Stringency with which you want to define an outbreak
Mail Security monitors your server at regular intervals to detect outbreaks (the default setting is every 2 minutes). When Mail Security checks your server for outbreaks, it checks the events that occurred within the specified period of time (the default setting is 20 minutes). Mail Security issues an outbreak notification when it detects an outbreak. For example, assume that you enable outbreak management, configure Mail Security to monitor for outbreaks every 2 minutes, and enable the “Same virus” outbreak trigger using the default configuration.
About outbreak triggers The set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger only monitors one type of event and (the Windows Application log or the SMSMSE Event Log) defines an outbreak as the frequency of the specified event within a given time period.
For example, one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour.
Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes.
If you enable multiple outbreak triggers, and a message is received that violates more than one, Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule is triggered.
Message bodies typically do not contain threats or security risks. To conserve processing resources, Mail Security installs with default settings that do not scan message bodies. (Message attachments are always scanned.)You can modify the settings to scan message bodies.
If Mail Security does not scan the message body (which includes the subject line), the Same subject outbreak can not be triggered unless the message contains an attachment.
To activate the Same subject outbreak trigger for messages that do not contain attachments, you can do any of the following:
Enable message body scanning
Enable at least one content filtering rule. Content filtering rules require message body scanning, regardless of whether the message contains an attachment. The content filtering rule can be any of the default rules or a rule that you create.
Outbreak triggers apply to auto-protect scans only.
Be aware that there may be activity within Exchange that is not immediately apparent to an Administrator. In some cases this normal system activity can trigger scans within SMSMSE, which can in some circumstances trigger the outbreak rules. Outbreak rules will trigger based on any scan activity generated, not just e-mails actively sent or received by users.
Please refer to the Symantec™ Mail Security for Microsoft® Exchange Server Implementation Guide for more details.