GWAVA 4 Components

From GWAVA4

A set of images/flow charts would be helpful here INSERT SCREENSHOT

When you install GWAVA on a server, several core components are installed and then run automatically.

Communication between these components is via TCP/IP, with a few exceptions noted below.

Contents 1 Service Scripts 2 GWAVAMAN 3 GWAVA 4 GWVRELAY 5 GWAVAQMS 6 ASENGINE 7 AUTOBLKR 8 GWAVAUPD 9 Interfaces 10 Kaspersky Antivirus

Service Scripts

At startup, the service script /etc/init.d/gwavaman is run. This script automatically reads the configuration file /opt/beginfinite/gwava/assets/conf/services.conf and loads each of the GWAVA components listed there. Most GWAVA components are started and stopped using the service script. One exception is the MTA interface, discussed below.

To manually start gwava, type /etc/init.d/gwavaman start.

To manually stop gwava, type /etc/init.d/gwavaman stop.

A quick way to stop any running pieces of gwava and restart is to type /etc/init.d/gwavaman restart.

The service script can also be used to show if various components are running (/etc/init.d/gwavaman status), and to start and stop individual components. For more information, type /etc/init.d/gwavaman.

GWAVAMAN

GWAVAMAN is the heart of the GWAVA system. GWAVAMAN provides these major functions

• The Web server from which the Administrator performs all administration tasks. By default, this is bound to all interfaces and runs on port 49282. (49382 with SSL)
• Authentication services - any component of the GWAVA system must successfully authenticate into GWAVAMAN (as must the Administrator) to access the GWAVA configuration settings
• Access to all configuration settings in the core configuration database. If another component needs to access or update configuration settings, it does so by logging into GWAVAMAN and requesting access to the configuration database. Other components do NOT directly access, change, or alter the database.
• Replication services. Each GWAVAMAN service communicates with all of the other GWAVAMAN services on the network to keep the configuration database in sync across the system. This allows administrators to log into any GWAVAMAN server in the system, and manage any server's settings.

GWAVA

GWAVA (often referred to as the "GWAVA Scanner") provides the core scanning and processing of the messages passing through the system.

When an MTA scanner/interface has a new message to scan and process, the actual scanning is not performed by the MTA interface portion. Instead the MTA connects to the GWAVA component, requests that the appropriate scanner configuration (for example, Antivirus on, block all *.scr files, etc) is loaded by GWAVA and sends the message to GWAVA for processing.

The processing of the message, including all virus scanning, decompression, fingerprinting, etc is performed by the GWAVA component and the results are sent to the interface.

Depending on the interface type, some post processing tasks may be performed by the interface itself. For example, if the message was modified by having a signature added, the GWIA interface re-injects the altered message directly into the GWIA mail flow. The MTA interface cannot, and relies on GWAVA to deal with this situation (by relaying an altered message to an SMTP server).

GWAVA depends upon GWAVAMAN for all access to the configuration database, and to be notified, if any settings in the currently active scanner configurations, have changed.

By default, GWAVA listens on all bound interfaces on port 49283

GWVRELAY

GWVRELAY provides the SMTP mail and key generation functions for the GWAVA system. Any GWAVA component -- such as GWAVA or GWAVAQMS -- that needs to generate e-mail notifications, altered messages, or digests, places files in a queue on the GWAVA server. GWVRELAY picks these up, and routes them to the appropriate SMTP server, using the information configured for that server.

When a message is created, a "pass through" key is automatically generated by GWVRELAY for a one-time use by all GWAVA scanner components. This allows items like notifications or digests to not be stopped by content filtering, virus scanning, etc, in a secure fashion. These keys cannot be used more than once, and expire after a few hours.

Like all GWAVA components, GWVRELAY depends upon GWAVAMAN for all access to the configuration database, and to be notified if any settings have changed.

GWAVAQMS

GWAVAQMS is the the core of the GWAVA Quarantine Management System.

Services provided include

• Web Server for logging into the QMS system for end users and admins to maintain quarantined e-mail. By default, this is bound to all interfaces and runs on port 49285. (49385 with SSL)
• Authentication/Right Management services for the purpose of maintaining a secure login. The QMS provides a rich selection of ACL rights and user and group management to allow granular control over access to QMS messages and functions.
• Release, Forward, Whitelist, Blacklist, Delete and additional functions allowing users and Adminstrators to maintain their quarantined e-mail.
• Digest services are provided and configured within the QMS. Both the generation of HTML digest messages sent to end users and the release of messages selected by end users from the digest, are processed by GWAVAQMS. Digests provide easy and quick access to the most desired function of a quarantine system - release of incorrectly trapped messages - without requiring a full login into the QMS system.
• Database access to all user/group account, digest information, and messages are provided by GWAVAQMS, not the GWAVAMAN component. However, GWAVAQMS requires access to GWAVAMAN to provide various initial QMS settings, for authentication purposes, and to update blacklist and whitelists.

ASENGINE

ASENGINE provides the antispam scanning services to GWAVA while processing messages. ASEngine reports the following information back to the scanner engine depending on the configuration it is using:

• Probability analysis and score
• Heuristic analysis and score

ASENGINE by default is bound to 127.0.0.1 and listens on port 49284

AUTOBLKR

AUTOBLKR(Auto-Blocker) automatically tunes and optimizes configurations used by the Antispam engine. By default, AUTOBLKR signals ASENGINE every hour if better results have been gained from its analysis, and to start using the new configuration.

AUTOBLKR is fed new Ham/Spam via a transfer directory that may be fed through watermark feeders, or IMAP/POP3 feeders.

The IMAP/POP3 servers are directly accessed from AUTOBLKR. Watermark feeders are performed by the GWAVA scanner engine which push messages directly into the transfer directories.

GWAVAUPD

GWAVAUPD provides the updating mechanism for GWAVA 4.

Interfaces

The actual components of GWAVA that intercept mail flow or are otherwise in contact with the messaging system are called Interfaces. An Interface component is required for each separate connection to the messaging system.

Typically an interface starts by contacting the local server's GWAVAMAN component for bootstrap information. From this, the interface is informed of the scanner(s) attached to the interface and some basic configuration information (such as logging to the console). If these change, the interface will be notified by GWAVAMAN.

Each interface then processes the mail according to the Scanner configuration attached to the interface. It's important to know the interface does not know or understand the configuration settings attached to the "Scanner", nor does it actually perform the actual tasks such as virus scanning. The actual scanning/processing of the mail takes place within the GWAVA component. The interface merely knows the "name" (unique engine ID) of the scanner attached to it, and requests GWAVA to do the rest and report back the results.

In GWAVA currently, there are three types of interfaces:

• The MTA interface (libgwvsmod.so on Linux, vs.nlm on NetWare), which is installed once per server, and loads whenever the MTA loads. This intercepts MTA-level messages in realtime, and scans them via the GWAVA component.
• The GWIA interface (GWVGWIA), which is generally installed once per server, and loads when the GWAVA services are loaded. This intercepts GWIA-level messages in realtime, and scans them via the GWAVA component.
• POA scanning is handled a bit differently. The GWAVAPOA job manager is always loaded and attaches to GWAVAMAN for all of its configuration information, including when future scheduled Post Office scan jobs will need to be run on that server. At that time, the connection to the Post Office is initiated by GWAVAPOA, and messages are sent to the GWAVA component for scanning.

Kaspersky Antivirus

GWAVA uses the Kaspersky Antivirus (KAV) Antivirus for virus detection. Virus signatures are updated hourly.