Hello,
I have an private E-Mail Server with Rspamd and I have also installed there Antivus for Linux Free and I'd like to block encrypted Files there which can't be scanned. The setup is, that Postfix will receive the Mail and send it to Rspamd and Rspamd will forward it to SAVDI to check if the attachments will contain an virus. It looks like, that Rsamd can only SSSP because when I set it to use the ICAP TCP Socket then it sends an SSSP Request. Is there any possiblity to block encrypted files with the SSSP Protcol?
Thanks for your help.
Regards.
Hello Matthias Mandlmeier,
I'm not familiar with SAVDI (but then there aren't many responses to SAVDI queries in this forum). block encrypted files with the SSSPWith SSSP the file isn't returned to the client like with ICAP and even an infected file isn't blocked - or is it? Doesn't it return an error (0x0212) when it encounters an encrypted file?
Christian
Hello Christian,
thanks for your reply.
Can you tell me where I can see if it will return an error like (0x0212)? When I look in the Log File of SAVDI, then I can see only this lines which is, when Rspamd forwards an request to SAVDI.
171123:135934 [5A161899] 00038402 New session
171123:135934 [5A161899] C000460B Client terminated connection early
171123:135934 [5A161899] 00038403 Session ended
171123:135934 [5A161899] 00038401 Connection ended
To: 0.0.0.0:4010 From 0.0.0.0:4010
I tested it with the EICAR Test Virus and only the signature is detected when it will be written directly as text in an E-Mail. If it is in an .zip File for example with and without an Password then it isn't detected and the mail will be delivered.
I added also this Lines to the savdid.conf for test in the Channel for SSSP:
savigrp: GrpSuper 1
savigrp: GrpArchiveUnpack 1
savigrp: GrpSelfExtract 1
savigrp: GrpExecutable 1
savigrp: GrpInternet 1
savigrp: GrpMSOffice 1
savigrp: GrpMisc 1
savigrp: GrpDisinfect 1
savigrp: GrpClean 1
savigrp: GrpWebArchive 1
savigrp: GrpWebEncoding 1
but it looks like that this doesn't work.
I tested it also with an encrypted .zip File which contains an password protected Excel File but it was also not detected.
Maybe you have another proposal how to get his work.
Thank you.
as said, I'm afraid I don't have any experience with either so I can't say what could be wrong..
The part of the log you showed contains just a single session, and as far as I can see no client requests - perhaps add logrequests: YES in the scanprotocol configuration. Client terminated connection early doesn't seem right - do you get it for all requests? If logrequests doesn't give an insight I'd suggest Wireshark to monitor the sessions - while there is no dissector for SSSP Line-based text data should do.
I have now set logrequests: YES and now I get this in the Log with an encrypted .zip File
171124:142930 [5A181A5D] 00038402 New session
171124:142930 [5A181A5D/1] 00030406 Client request
SSSP/1.0
171124:142930 [5A181A5D/2] 00030406 Client request
SCANDATA 22871
171124:142930 [5A181A5D] C000460B Client terminated connection early
171124:142930 [5A181A5D] 00038403 Session ended
171124:142930 [5A181A5D] 00038401 Connection ended
To: /var/run/savdid.sock From User (110, 116), process 21223
This looks like that Rspamd communicates correctly with SAVDI.
When I test with an EICAR Test Virus then it shows me this in the Logs
171124:142219 [5A181A59] 00038402 New session
171124:142219 [5A181A59/1] 00030406 Client request
171124:142219 [5A181A59/2] 00030406 Client request
SCANDATA 2182
171124:142219 [5A181A59/2] 00030405 Threat found
Identity: 'EICAR-AV-Test' "/eicar.com"
171124:142219 [5A181A59] C000460B Client terminated connection early
171124:142219 [5A181A59] 00038403 Session ended
171124:142219 [5A181A59] 00038401 Connection ended
In the Postfix Logs I see this Line 5.7.1 sophos: virus found: \"EICAR-AV-Test\ and the Mail gets rejected.
The Line with Client terminated connection early I get at every request but I have found also one request which looks correct for me:
171124:142126 [5A181A57] 00038400 New connection
171124:142126 [5A181A57] 00038402 New session
171124:142126 [5A181A57/1] 00030406 Client request
171124:142126 [5A181A57/2] 00030406 Client request
SCANDATA 2107
171124:142126 [5A181A57/2] 00030405 Threat found
Identity: 'EICAR-AV-Test' "/eicar.zip/eicar.com"
171124:142127 [5A181A57/3] 00030406 Client request
BYE
Thanks
Matthias
Hello Matthias,
I'm not sure what SAVDI expects in SCANDATA but I think it basically works like the on-access scanner scanning a file. In particular AFAIK it doesn't go any lengths do dissect and decode (complex) containers. An encrypted .zip isn't significantly larger than an unencrypted one but the SCANDATA request shows a size of 22871.
I have now installed Amavis on my Mailserver and Postfix also send the attachments to this Deamon and there I got more Output from the Log of Sophos likes this with an encrypted ZIP File for example.
amavis[17668]: (17668-11) (!)do_unzip: p003, unsupported compression method: 99
amavis[17668]: (17668-11) (!)run_av (Sophos-SSSP) FAILED - unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n"
amavis[17668]: (17668-11) (!)Sophos-SSSP av-scanner FAILED: CODE(0x339f658) unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n" at (eval 96) line 905.
I configured then Amavis, that it should reject the encrypted Files and it also send out an E-Mail to the Sender that this Content is blocked.
I think it could be that the Protocol between Rspamd and SAVDI doesn't support encrypted Files or the Protocol is very basic and it can detect only viruses.
My Setup is now that Postfix will receive the message and sent it to Rspamd to and see if the Mail is SPAM or it contains an Virus and rejects it. If Rspamd doesn't detect it is an encrypted File or maybe the Virus isn't detect then it will be forwarded to Amavis to check it again if the File is maybe encrypted and the File will be checked again with Sophos.
This is maybe only an workaround but it is enough for me, because it is only an private mailserver and it has no business use.
Thanks for your help Christian.
Regards