Block encrypted Files via AVL Basic / SAVDI

Hello Matthias Mandlmeier,

I'm not familiar with SAVDI (but then there aren't many responses to SAVDI queries in this forum).
block encrypted files with the SSSP
With SSSP the file isn't returned to the client like with ICAP and even an infected file isn't blocked - or is it? Doesn't it return an error (0x0212) when it encounters an encrypted file?

Christian

Hello Christian,

thanks for your reply.

Can you tell me where I can see if it will return an error like (0x0212)? When I look in the Log File of SAVDI, then I can see only this lines which is, when Rspamd forwards an request to SAVDI. 

171123:135934 [5A161899] 00038402 New session

171123:135934 [5A161899] C000460B Client terminated connection early

171123:135934 [5A161899] 00038403 Session ended

171123:135934 [5A161899] 00038401 Connection ended

    To: 0.0.0.0:4010 From 0.0.0.0:4010

I tested it with the EICAR Test Virus and only the signature is detected when it will be written directly as text in an E-Mail. If it is in an .zip File for example with and without an Password then it isn't detected and the mail will be delivered.

I added also this Lines to the savdid.conf for test in the Channel for SSSP:

savigrp: GrpSuper 1

         savigrp: GrpArchiveUnpack 1

         savigrp: GrpSelfExtract 1

         savigrp: GrpExecutable 1

         savigrp: GrpInternet 1

         savigrp: GrpMSOffice 1

         savigrp: GrpMisc 1

         savigrp: GrpDisinfect 1

         savigrp: GrpClean 1

         savigrp: GrpWebArchive 1

         savigrp: GrpWebEncoding 1

but it looks like that this doesn't work.

I tested it also with an encrypted .zip File which contains an password protected Excel File but it was also not detected.

Maybe you have another proposal how to get his work.

Thank you.

Hello Matthias Mandlmeier,

as said, I'm afraid I don't have any experience with either so I can't say what could be wrong..

The part of the log you showed contains just a single session, and as far as I can see no client requests - perhaps add logrequests: YES in the scanprotocol configuration. Client terminated connection early doesn't seem right - do you get it for all requests?
If logrequests doesn't give an insight I'd suggest Wireshark to monitor the sessions - while there is no dissector for SSSP Line-based text data should do.

Christian

Hello Christian,

I have now set logrequests: YES and now I get this in the Log with an encrypted .zip File 

171124:142930 [5A181A5D] 00038402 New session

171124:142930 [5A181A5D/1] 00030406 Client request

    SSSP/1.0

171124:142930 [5A181A5D/2] 00030406 Client request

    SCANDATA 22871

171124:142930 [5A181A5D] C000460B Client terminated connection early

171124:142930 [5A181A5D] 00038403 Session ended

171124:142930 [5A181A5D] 00038401 Connection ended

    To: /var/run/savdid.sock From User (110, 116), process 21223

This looks like that Rspamd communicates correctly with SAVDI.

When I test with an EICAR Test Virus then it shows me this in the Logs

171124:142219 [5A181A59] 00038402 New session

171124:142219 [5A181A59/1] 00030406 Client request

    SSSP/1.0

171124:142219 [5A181A59/2] 00030406 Client request

    SCANDATA 2182

171124:142219 [5A181A59/2] 00030405 Threat found

    Identity: 'EICAR-AV-Test' "/eicar.com"

171124:142219 [5A181A59] C000460B Client terminated connection early

171124:142219 [5A181A59] 00038403 Session ended

171124:142219 [5A181A59] 00038401 Connection ended

In the Postfix Logs I see this Line 5.7.1 sophos: virus found: \"EICAR-AV-Test\ and the Mail gets rejected.

The Line with Client terminated connection early I get at every request but I have found also one request which looks correct for me:

171124:142126 [5A181A57] 00038400 New connection

    To: /var/run/savdid.sock From User (110, 116), process 21223

171124:142126 [5A181A57] 00038402 New session

171124:142126 [5A181A57/1] 00030406 Client request

    SSSP/1.0

171124:142126 [5A181A57/2] 00030406 Client request

    SCANDATA 2107

171124:142126 [5A181A57/2] 00030405 Threat found

    Identity: 'EICAR-AV-Test' "/eicar.zip/eicar.com"

171124:142127 [5A181A57/3] 00030406 Client request

    BYE

Thanks

Matthias

Hello Matthias,

I'm not sure what SAVDI expects in SCANDATA but I think it basically works like the on-access scanner scanning a file. In particular AFAIK it doesn't go any lengths do dissect and decode (complex) containers. An encrypted .zip isn't significantly larger than an unencrypted one but the SCANDATA request shows a size of 22871.

Christian

Hello Christian,

I have now installed Amavis on my Mailserver and Postfix also send the attachments to this Deamon and there I got more Output from the Log of Sophos likes this with an encrypted ZIP File for example.

amavis[17668]: (17668-11) (!)do_unzip: p003, unsupported compression method: 99

 amavis[17668]: (17668-11) (!)run_av (Sophos-SSSP) FAILED - unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n"

 amavis[17668]: (17668-11) (!)Sophos-SSSP av-scanner FAILED: CODE(0x339f658) unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n" at (eval 96) line 905.

I configured then Amavis, that it should reject the encrypted Files and it also send out an E-Mail to the Sender that this Content is blocked.

I think it could be that the Protocol between Rspamd and SAVDI doesn't support encrypted Files or the Protocol is very basic and it can detect only viruses. 

My Setup is now that Postfix will receive the message and sent it to Rspamd to and see if the Mail is SPAM or it contains an Virus and rejects it. If Rspamd doesn't detect it is an encrypted File or maybe the Virus isn't detect then it will be forwarded to Amavis to check it again if the File is maybe encrypted and the File will be checked again with Sophos.

This is maybe only an workaround but it is enough for me, because it is only an private mailserver and it has no business use.

Thanks for your help Christian.

Regards

Matthias

Hello Christian,

I have now installed Amavis on my Mailserver and Postfix also send the attachments to this Deamon and there I got more Output from the Log of Sophos likes this with an encrypted ZIP File for example.

amavis[17668]: (17668-11) (!)do_unzip: p003, unsupported compression method: 99

 amavis[17668]: (17668-11) (!)run_av (Sophos-SSSP) FAILED - unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n"

 amavis[17668]: (17668-11) (!)Sophos-SSSP av-scanner FAILED: CODE(0x339f658) unexpected , output="FAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p007\r\nFAIL 0212 /var/lib/amavis/tmp/amavis-20171126T234709-17668-DpgG67vk/parts/p003\r\nDONE FAIL 0212 File was encrypted\r\n" at (eval 96) line 905.

I configured then Amavis, that it should reject the encrypted Files and it also send out an E-Mail to the Sender that this Content is blocked.

I think it could be that the Protocol between Rspamd and SAVDI doesn't support encrypted Files or the Protocol is very basic and it can detect only viruses. 

My Setup is now that Postfix will receive the message and sent it to Rspamd to and see if the Mail is SPAM or it contains an Virus and rejects it. If Rspamd doesn't detect it is an encrypted File or maybe the Virus isn't detect then it will be forwarded to Amavis to check it again if the File is maybe encrypted and the File will be checked again with Sophos.

This is maybe only an workaround but it is enough for me, because it is only an private mailserver and it has no business use.

Thanks for your help Christian.

Regards

Matthias