cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 7

MWG 7 Rule Cycle

Hi,

can anybody explain "cycle" to me?

Obviously there must be more than one cycle, right?

greetings

seebvey

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: MWG 7 Rule Cycle

Hello,

yes, we do have 4 cycles:


Request

Response

Embedded

Log

The request cycle is filtering the requests coming in, such as the GET or POST requests sent from the Client. The response cycle contains the response of a Webserver, e.g. a Website or download that has been triggered. The Embedded cycle is kicked of by Openers, such as the composite opener.

Example:

A user sends a request for a download to MWG. The request is handled in the request cycle, performing authentication, perform URL filtering etc. If the cycle is allowed (no block action occured) MWG sends the request to the Webserver. The Webserver sends back the download, in this example a ZIP file. Filters such as AV are not applied to the ZIP file in the response cycle. If there is a composite opener event, the opener will extract the ZIP and sends each member through the rule engine again - this time in an embedded cycle.

If all goes well the download is delivered to the Client. Finally the log cycle is ececuted and all things that happened are written to the access.log.

I hope that makes sense 🙂

Best,

Andre

Highlighted
Level 11
Report Inappropriate Content
Message 3 of 7

Re: MWG 7 Rule Cycle

Small clarification: Embedded cycle could be executed for data from Request and Response, for example, if you're sending POST request, then MWG first works in Request cycle, then enters into Embedded cycle (if opener is enabled and exists), than it entering into Response cycle, check response data, and enters into Embedded cycle once again....

Highlighted
Level 10
Report Inappropriate Content
Message 4 of 7

Re: MWG 7 Rule Cycle

Hi Andre,

you wrote:

If there is a composite opener event, the opener will extract the ZIP and sends each member through the rule engine again - this time in an embedded cycle.

This is the point where virus scanning is done, right?

So for example i can use the "stop cycle" action in my URL Ruleset without losing the AV protection.

Is this correct?

Can i say that AV is an own cycle?

greetings,

seebvey

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: MWG 7 Rule Cycle

Hello,

you can basically define in which cycle AV is performed. The default Rule Set calls AV in all cycles, which means that if you Upload some content (which is done in the request cycle), this is also filtered by the AV engine. So if you call the "stop cycle" action in the request cycle before AV filtering happens, the following would be true:

- if you transfer an infected file in the request cycle (file upload, etc) it won´t be detected any longer, since you skipped the cycle

- if you download an infected file, it will be detected because in the response cycle you still have AV

I would not agree on the statement that AV has its own cycle, instead of that AV can performed in any cycle!

Maybe the embedded cycle is confusing, so I will try a little example:

If I do not use the composite opener, we would not have any embedded cycle, since these are initiated by the opener. BUT the file I downloaded still goes (without being opened) through the response cycle, and AV is performed here.

In this example we will send the complete response to the AV engine, but will not extract it and send the members of the archive to the AV engine, which works, but is certainly not good for the detection rate.

Does this make sense to you?

Best,.

Andre

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: MWG 7 Rule Cycle

I also found a nice picture which is part of the MWG6 to MWG7 migration guide. It basically shows a typical downloaded file with the default Rule Set that comes with the product in place. Maybe that also helps understanding:

Auswahl_021.png

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 7

Re: MWG 7 Rule Cycle

Very good.

Thank you very much.

greetings,

seebvey

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community