Understanding Security Policies

The term Security Policies describes three objects and their relationship to each other:

  • Workflow Rules

  • Workflow Templates

  • Security Zones

Workflow Rules

Workflow Rules is the object that each file interacts with directly when being processed by MetaDefender. i.e. Each file is processed through one (and only one) of the defined Workflow Rules.

The workflow rule is identified by its name. It defines eligibility parameters to use it (i.e. whether a client is in the proper Security Zone and/or the actual logged-in user is in the specified Role and/or the client has provided the required user_agent). It inherits processing characteristics (i.e. whether to scan files with the malware engines, if and how to use data sanitization, if and how to extract archives, etc.) from a Workflow that gets assigned to it. It also allows direct assignment of processing characteristics that over-ride the characteristics of the workflow.

You create a workflow rule by giving it a name and assigning a Security Zone and a Workflow template to it. You can also assign specific processing characteristics to it. A file's eligibility to be processed by the Workflow Rule is determined by the filtering parameters in the General tab. If all the required parameters are matching, the processing actions performed on that file are determined by the specific processing characteristics set on the Workflow Rule in case the Workflow Rule does not override the underlying Workflow, then the Workflow's scanning characteristics will be used. i.e. the workflow determines each processing setting that is not explicitly set at the Workflow Rule. Workflow Rules can be reordered using drag&drop.

A file that is eligible to be processed by more than one Workflow Rule will still only get assigned to one Workflow Rule (the assignment logic is described below). A file that is not eligible for any Workflow Rule will not be processed.

Security Zones

Security Zones is the object that defines a network or set of networks (as defined by IP masks). Only files whose source location is in that network are eligible to be routed to a Workflow Rule that is assigned that Security Zone

Workflow Templates

Workflow Templates is the object where you define a set of process actions (and associated action properties) such as malware scanning, sanitization, archive handling, etc. The Workflow Template does not get applied directly to the file, the Workflow Rule is associated with Workflow Templates, and it is the Workflow Rule that gets applied to the file. The Workflow Template can be thought of as a template of process settings - by assigning the Workflow Rule to a Workflow Template, the Workflow Rule inherits the Workflow Template settings for each field that has not been directly populated on the Workflow Rule.

Workflow Templates that are included out-of-the-box with each MetaDefender Core v4 installation are: "Default", "Skip Images", and "Executables only". These workflows cannot be altered or deleted, but they can be copied to custom workflows that can then be edited.

Note: Only the three Workflows mentioned above will be migrated when you upgrade MetaDefender Core.

Assigning a Workflow Rule to process a file

Workflow Rules are evaluated one by one according to the order they appear in the UI. The first Workflow Rule that satisfies the request will be selected for processing.

When submitting a file via the REST API you can use a specific Rule or specific set of Rules.

  • the User-Agent that represents your client application (user_agent header) and/or

  • the name of a specific Workflow Rule you want to use (rule header)

Please keep in mind that even if you specified a specific Workflow Rule to use, It still needs to satisfy the eligibility (Security Zone and/or logged in user is in the specified Role and/or the client has provided the required user_agent) in order to be used.

You can use this REST API to fetch the names of the available rules that match all the criteria (you have to specify the same user_agent header as you want to use for the file scan request).

When submitting a file via one of the OPSWAT client applications (e.g. MetaDefender Client, MetaDefender Kiosk) and you want to use a specific Rule for the application please make sure you have set up a proper rule with the proper User-Agent filter.

When submitting a file via the browser (web scan), MetaDefender will use the Workflow Rule you selected via the UI. Only the rules that match with all the eligibility parameters are shown on the UI.

This article applies to MetaDefender Core v4
This article was last updated on 2019-10-06