A university is using Cisco ESA to manage email for 20,000 students and staff. They have implemented anti-spam and anti-virus policies. Recently, the IT helpdesk has been receiving complaints that legitimate emails from external senders (such as admissions notifications) are being marked as spam and quarantined. The administrators check the ESA and find that these emails are being flagged with a spam score above the threshold, but the content appears to be legitimate. The sending domains are not on any blacklist. The ESA is using default anti-spam settings. What should the administrator do to reduce false positives without compromising security?
Whitelist trusted senders.
Why this answer
Option C is correct because adding the legitimate sender domains or IPs to the ESA's SenderBase whitelist explicitly bypasses anti-spam scanning for those trusted sources, reducing false positives while maintaining security for all other inbound email. This approach leverages the ESA's reputation-based filtering to allow known good senders without lowering the global spam threshold or disabling protection entirely.
Exam trap
Cisco often tests the distinction between whitelisting (bypassing scanning) and content filters (applying actions after scanning), leading candidates to mistakenly choose a content filter rule that can be exploited or a threshold adjustment that worsens false positives.
How to eliminate wrong answers
Option A is wrong because creating a content filter based solely on the subject line 'admissions' is too broad and can be easily bypassed by spammers, leading to security gaps. Option B is wrong because disabling anti-spam scanning for all inbound email removes protection against spam and malware, compromising the university's email security posture. Option D is wrong because lowering the spam threshold increases sensitivity, which would actually cause more false positives, not reduce them.