Understanding Security Policies
The term Security Policies describes three objects and their relationship to each other:
-
Workflow Rules
-
Workflow Templates
-
Security Zones
Workflow Rules
Workflow Rules is the object that each file interacts with directly when being processed by MetaDefender. i.e. Each file is processed through one (and only one) of the defined Workflow Rules.
The workflow rule is identified by its name. It defines eligibility parameters to use it (i.e. whether a client is in the proper Security Zone and/or the actual logged-in user is in the specified Role and/or the client has provided the required user_agent). It inherits processing characteristics (i.e. whether to scan files with the malware engines, if and how to use data sanitization, if and how to extract archives, etc.) from a Workflow that gets assigned to it. It also allows direct assignment of processing characteristics that over-ride the characteristics of the workflow.
You create a workflow rule by giving it a name and assigning a Security Zone and a Workflow template to it. You can also assign specific processing characteristics to it. A file's eligibility to be processed by the Workflow Rule is determined by the filtering parameters in the General tab. If all the required parameters are matching, the processing actions performed on that file are determined by the specific processing characteristics set on the Workflow Rule in case the Workflow Rule does not override the underlying Workflow, then the Workflow's scanning characteristics will be used. i.e. the workflow determines each processing setting that is not explicitly set at the Workflow Rule. Workflow Rules can be reordered using drag&drop.
A file that is eligible to be processed by more than one Workflow Rule will still only get assigned to one Workflow Rule (the assignment logic is described below). A file that is not eligible for any Workflow Rule will not be processed.
Security Zones
Security Zones is the object that defines a network or set of networks (as defined by IP masks). Only files whose source location is in that network are eligible to be routed to a Workflow Rule that is assigned that Security Zone
Workflow Templates
Workflow Templates is the object where you define a set of process actions (and associated action properties) such as malware scanning, sanitization, archive handling, etc. The Workflow Template does not get applied directly to the file, the Workflow Rule is associated with Workflow Templates, and it is the Workflow Rule that gets applied to the file. The Workflow Template can be thought of as a template of process settings - by assigning the Workflow Rule to a Workflow Template, the Workflow Rule inherits the Workflow Template settings for each field that has not been directly populated on the Workflow Rule.
Workflow Templates that are included out-of-the-box with each MetaDefender Core v4 installation are: "Default", "Skip Images", and "Executables only". These workflows cannot be altered or deleted, but they can be copied to custom workflows that can then be edited.
Note: Only the three Workflows mentioned above will be migrated when you upgrade MetaDefender Core.