I've got a handful of questions about the composite opener that I hope someone can help enlightment me on! Feel free to cherry pick and answer any of these if you know em!
- what does "Common Rules> Enable composite opener do?
- If you have a condition of (Body.NestedArchiveLevel less than 5; "Continue"; Event enable composite opener) on that rule what visisbility are you losing in subsequent rules for archives with more than 5 levels? Support once suggested this to me to deal with long scan times as the default level is apparently 100?
- Conceptually, how does composite opener affect subsequent rule evaluations? I am looking for help understanding how it relates to the gateway anti-malware ruleset, Progress pages and Call ReqMod Server (which many clients use to send requests through network dlp appliances for evaluation).
- On the Progress pages, does time spent in the composite opener happen during "scanning" portion or the "download" portion of the progress page?
- What's considered best practice for enable composite opener and the gateway anti-malware rules to deal with long scan times?
- Finally, does anyone have a suggestion on how to put a max file size over which they skip AV and composite opener? How do you implement that? (Add Body.Size conditions to enable composite opener as well as gateway antimalware?)
Here's why I ask:
The was an early Mcafee consultant set up one of my client's rulesets, There are some top level rule sets between Common Rules and the gateway anti-malware, and ReqMod rulesets. I've observed that between the composite opener and the anti-malware rule, some large downloads can really really take forever, so for common vendors they'd like to bypass these time consuming rules when downloading content they largely trust by way of a vendor relationship.
In those cases, I'd like to bypass the opener as well as AV, but still run the rules (such as icap to the DLP appliances) in between Common Rules and Gateway AntiMalare. Unfortunately, the Common Rules "response whitelist" that's built in to that ruleset template does a stop cycle rather than stop ruleset. This causes client's icap dlp rule to not get evaluated as it's currently positioned after common rules in the ruleset.
I'd feel more confident rolling my own here if I understood the composite opener's function and purpose better. It sure does seem to dim the lights on certain installers with long long download and scan times.
Thanks so much for any insight!