I've been testing the duplication of a MWG upload/download process in terms of backgrounding the portion of the process that is time-intensive while releasing the original download/process to deliver content to/from the client. This is based on the discussion at Re: Don´t wait for ICAP Server response
I've run into some interesting outcomes so I'd like to get verification of a couple of items.
1) Is it required that the ruleset that utilizes the property AntiMalware.MATD.IsBackgroundScan equals true to handle the initiation of the background process be a Top Level ruleset?
2) For the "Init Offline Scan" ruleset, with criteria Antimalware.MATD.InitBackgroundScan (#) equals <boolean>, what is the correct logic to activate the background/offline scan and is it expected that this rule will trigger the Error Handler? I have seen both true and false values referenced in the forum and I've also seen documentation about how to make specific errors result in a fail open situation..which suggests that that may be an expected outcome in certain situations.
Current situation/challenges/what I would like to accomplish:
- I have a monitoring rule set which exists after the standard Common Rules rule set and before the standard Gateway Anti-Malware rule set
- In some cases, this monitoring rule set may result in significantly delayed delivery of downloads to the requesting client
- I want to implement logic that will make it possible to achieve:
- complete traversal of existing monitoring ruleset as that ruleset contains rulesets/rules which log specific data about Embedded Objects
- limited direct/perceived impact to the requesting client
- My thought was that I could potentially accomplish that by using the MATD properties for background scanning to first trigger a background "scan" event and then catch that traffic at the top of the overall rule set and shovel it into a monitoring rule set
Any input on items #1 and #2 listed above would be greatly appreciated. Also, if there are version-specific considerations, that would also be useful to know.