yes, we do have 4 cycles:
The request cycle is filtering the requests coming in, such as the GET or POST requests sent from the Client. The response cycle contains the response of a Webserver, e.g. a Website or download that has been triggered. The Embedded cycle is kicked of by Openers, such as the composite opener.
A user sends a request for a download to MWG. The request is handled in the request cycle, performing authentication, perform URL filtering etc. If the cycle is allowed (no block action occured) MWG sends the request to the Webserver. The Webserver sends back the download, in this example a ZIP file. Filters such as AV are not applied to the ZIP file in the response cycle. If there is a composite opener event, the opener will extract the ZIP and sends each member through the rule engine again - this time in an embedded cycle.
If all goes well the download is delivered to the Client. Finally the log cycle is ececuted and all things that happened are written to the access.log.
I hope that makes sense :-)
Small clarification: Embedded cycle could be executed for data from Request and Response, for example, if you're sending POST request, then MWG first works in Request cycle, then enters into Embedded cycle (if opener is enabled and exists), than it entering into Response cycle, check response data, and enters into Embedded cycle once again....
If there is a composite opener event, the opener will extract the ZIP and sends each member through the rule engine again - this time in an embedded cycle.
This is the point where virus scanning is done, right?
So for example i can use the "stop cycle" action in my URL Ruleset without losing the AV protection.
Is this correct?
Can i say that AV is an own cycle?
you can basically define in which cycle AV is performed. The default Rule Set calls AV in all cycles, which means that if you Upload some content (which is done in the request cycle), this is also filtered by the AV engine. So if you call the "stop cycle" action in the request cycle before AV filtering happens, the following would be true:
- if you transfer an infected file in the request cycle (file upload, etc) it won´t be detected any longer, since you skipped the cycle
- if you download an infected file, it will be detected because in the response cycle you still have AV
I would not agree on the statement that AV has its own cycle, instead of that AV can performed in any cycle!
Maybe the embedded cycle is confusing, so I will try a little example:
If I do not use the composite opener, we would not have any embedded cycle, since these are initiated by the opener. BUT the file I downloaded still goes (without being opened) through the response cycle, and AV is performed here.
In this example we will send the complete response to the AV engine, but will not extract it and send the members of the archive to the AV engine, which works, but is certainly not good for the detection rate.
Does this make sense to you?
I also found a nice picture which is part of the MWG6 to MWG7 migration guide. It basically shows a typical downloaded file with the default Rule Set that comes with the product in place. Maybe that also helps understanding: