This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block encrypted Files via AVL Basic / SAVDI

Hello,

 

I have an private E-Mail Server with Rspamd and I have also installed there Antivus for Linux Free and I'd like to block encrypted Files there which can't be scanned. The setup is, that Postfix will receive the Mail and send it to Rspamd and Rspamd will forward it to SAVDI to check if the attachments will contain an virus. It looks like, that Rsamd can only SSSP because when I set it to use the ICAP TCP Socket then it sends an SSSP Request. Is there any possiblity to block encrypted files with the SSSP Protcol?

 

Thanks for your help.

 

Regards.



This thread was automatically locked due to age.
Parents
  • Hello Matthias Mandlmeier,

    I'm not familiar with SAVDI (but then there aren't many responses to SAVDI queries in this forum).
    block encrypted files with the SSSP
    With SSSP the file isn't returned to the client like with ICAP and even an infected file isn't blocked - or is it? Doesn't it return an error (0x0212) when it encounters an encrypted file?

    Christian

  • Hello Christian,

    thanks for your reply.

    Can you tell me where I can see if it will return an error like (0x0212)? When I look in the Log File of SAVDI, then I can see only this lines which is, when Rspamd forwards an request to SAVDI. 

    171123:135934 [5A161899] 00038402 New session

    171123:135934 [5A161899] C000460B Client terminated connection early

    171123:135934 [5A161899] 00038403 Session ended

    171123:135934 [5A161899] 00038401 Connection ended

        To: 0.0.0.0:4010 From 0.0.0.0:4010

     

    I tested it with the EICAR Test Virus and only the signature is detected when it will be written directly as text in an E-Mail. If it is in an .zip File for example with and without an Password then it isn't detected and the mail will be delivered.

    I added also this Lines to the savdid.conf for test in the Channel for SSSP:

    savigrp: GrpSuper 1

             savigrp: GrpArchiveUnpack 1

             savigrp: GrpSelfExtract 1

             savigrp: GrpExecutable 1

             savigrp: GrpInternet 1

             savigrp: GrpMSOffice 1

             savigrp: GrpMisc 1

             savigrp: GrpDisinfect 1

             savigrp: GrpClean 1

             savigrp: GrpWebArchive 1

             savigrp: GrpWebEncoding 1

    but it looks like that this doesn't work.

    I tested it also with an encrypted .zip File which contains an password protected Excel File but it was also not detected.

    Maybe you have another proposal how to get his work.

    Thank you.

  • Hello Matthias Mandlmeier,

    as said, I'm afraid I don't have any experience with either so I can't say what could be wrong..

    The part of the log you showed contains just a single session, and as far as I can see no client requests - perhaps add logrequests: YES in the scanprotocol configuration. Client terminated connection early doesn't seem right - do you get it for all requests?
    If logrequests doesn't give an insight I'd suggest Wireshark to monitor the sessions - while there is no dissector for SSSP Line-based text data should do.

    Christian

Reply
  • Hello Matthias Mandlmeier,

    as said, I'm afraid I don't have any experience with either so I can't say what could be wrong..

    The part of the log you showed contains just a single session, and as far as I can see no client requests - perhaps add logrequests: YES in the scanprotocol configuration. Client terminated connection early doesn't seem right - do you get it for all requests?
    If logrequests doesn't give an insight I'd suggest Wireshark to monitor the sessions - while there is no dissector for SSSP Line-based text data should do.

    Christian

Children
  • Hello Christian,

    I have now set logrequests: YES and now I get this in the Log with an encrypted .zip File 

    171124:142930 [5A181A5D] 00038402 New session

    171124:142930 [5A181A5D/1] 00030406 Client request

        SSSP/1.0

    171124:142930 [5A181A5D/2] 00030406 Client request

        SCANDATA 22871

    171124:142930 [5A181A5D] C000460B Client terminated connection early

    171124:142930 [5A181A5D] 00038403 Session ended

    171124:142930 [5A181A5D] 00038401 Connection ended

        To: /var/run/savdid.sock From User (110, 116), process 21223

     

    This looks like that Rspamd communicates correctly with SAVDI.

    When I test with an EICAR Test Virus then it shows me this in the Logs

    171124:142219 [5A181A59] 00038402 New session

    171124:142219 [5A181A59/1] 00030406 Client request

        SSSP/1.0

    171124:142219 [5A181A59/2] 00030406 Client request

        SCANDATA 2182

    171124:142219 [5A181A59/2] 00030405 Threat found

        Identity: 'EICAR-AV-Test' "/eicar.com"

    171124:142219 [5A181A59] C000460B Client terminated connection early

    171124:142219 [5A181A59] 00038403 Session ended

    171124:142219 [5A181A59] 00038401 Connection ended

     

    In the Postfix Logs I see this Line 5.7.1 sophos: virus found: \"EICAR-AV-Test\ and the Mail gets rejected.

    The Line with Client terminated connection early I get at every request but I have found also one request which looks correct for me:

     

    171124:142126 [5A181A57] 00038400 New connection

        To: /var/run/savdid.sock From User (110, 116), process 21223

    171124:142126 [5A181A57] 00038402 New session

    171124:142126 [5A181A57/1] 00030406 Client request

        SSSP/1.0

    171124:142126 [5A181A57/2] 00030406 Client request

        SCANDATA 2107

    171124:142126 [5A181A57/2] 00030405 Threat found

        Identity: 'EICAR-AV-Test' "/eicar.zip/eicar.com"

    171124:142127 [5A181A57/3] 00030406 Client request

        BYE

    Thanks

     

    Matthias

  • Hello Matthias,

    I'm not sure what SAVDI expects in SCANDATA but I think it basically works like the on-access scanner scanning a file. In particular AFAIK it doesn't go any lengths do dissect and decode (complex) containers. An encrypted .zip isn't significantly larger than an unencrypted one but the SCANDATA request shows a size of 22871.

    Christian

  • Hello Christian,

    I have now installed Amavis on my Mailserver and Postfix also send the attachments to this Deamon and there I got more Output from the Log of Sophos likes this with an encrypted ZIP File for example.

    amavis[17668]: (17668-11) (!)do_unzip: p003, unsupported compression method: 99

     amavis[17668]: (17668-11) (!)run_av (Sophos-SSSP) FAILED - unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n"

     amavis[17668]: (17668-11) (!)Sophos-SSSP av-scanner FAILED: CODE(0x339f658) unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n" at (eval 96) line 905.

    I configured then Amavis, that it should reject the encrypted Files and it also send out an E-Mail to the Sender that this Content is blocked.

    I think it could be that the Protocol between Rspamd and SAVDI doesn't support encrypted Files or the Protocol is very basic and it can detect only viruses. 

    My Setup is now that Postfix will receive the message and sent it to Rspamd to and see if the Mail is SPAM or it contains an Virus and rejects it. If Rspamd doesn't detect it is an encrypted File or maybe the Virus isn't detect then it will be forwarded to Amavis to check it again if the File is maybe encrypted and the File will be checked again with Sophos.

    This is maybe only an workaround but it is enough for me, because it is only an private mailserver and it has no business use.

    Thanks for your help Christian.

    Regards

    Matthias