From 0315b0d8d23002040b66a0158cc79c4af26813e4 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 8 Oct 2019 11:42:56 +0100
Subject: [PATCH] [Feature] Support caching for encrypted files and macros

---
 lualib/lua_scanners/clamav.lua       |  1 +
 lualib/lua_scanners/kaspersky_se.lua | 25 ++++++++++++++++++-------
 lualib/lua_scanners/sophos.lua       |  8 ++++++--
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua
index 04856e079..f95f96d92 100644
--- a/lualib/lua_scanners/clamav.lua
+++ b/lualib/lua_scanners/clamav.lua
@@ -139,6 +139,7 @@ local function clamav_check(task, content, digest, rule)
           if string.find(vname, '^Heuristics%.Encrypted') then
             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
             common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
+            cached = 'encrypted'
           elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
             rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
             common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
diff --git a/lualib/lua_scanners/kaspersky_se.lua b/lualib/lua_scanners/kaspersky_se.lua
index ecbe6236f..39031d862 100644
--- a/lualib/lua_scanners/kaspersky_se.lua
+++ b/lualib/lua_scanners/kaspersky_se.lua
@@ -207,14 +207,24 @@ local function kaspersky_se_check(task, content, digest, rule)
         local cached
         lua_util.debugm(rule.name, task, '%s: got reply data: "%s"',
             rule.log_prefix, data)
-        if data == 'CLEAN' then
-          cached = 'OK'
-          if rule['log_clean'] then
-            rspamd_logger.infox(task, '%s: message or mime_part is clean',
-                rule.log_prefix)
+
+        if data:find('^CLEAN') then
+          -- Handle CLEAN replies
+          if data == 'CLEAN' then
+            cached = 'OK'
+            if rule['log_clean'] then
+              rspamd_logger.infox(task, '%s: message or mime_part is clean',
+                  rule.log_prefix)
+            else
+              lua_util.debugm(rule.name, task, '%s: message or mime_part is clean',
+                  rule.log_prefix)
+            end
+          elseif data == 'CLEAN AND CONTAINS OFFICE MACRO' then
+            common.yield_result(task, rule, 'File contains macros', 0.0, 'encrypted')
+            cached = 'MACRO'
           else
-            lua_util.debugm(rule.name, task, '%s: message or mime_part is clean',
-                rule.log_prefix)
+            rspamd_logger.errx(task, '%s: unhandled clean response: %s', rule.log_prefix, data)
+            common.yield_result(task, rule, 'unhandled response:' .. data, 0.0, 'fail')
           end
         elseif data == 'SERVER_ERROR' then
           rspamd_logger.errx(task, '%s: error: %s', rule.log_prefix, data)
@@ -231,6 +241,7 @@ local function kaspersky_se_check(task, content, digest, rule)
             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
             common.yield_result(task, rule, 'File is encrypted: '.. why,
                 0.0, 'encrypted')
+            cached = 'ENCRYPTED'
           else
             common.yield_result(task, rule, 'unhandled response:' .. data, 0.0, 'fail')
           end
diff --git a/lualib/lua_scanners/sophos.lua b/lualib/lua_scanners/sophos.lua
index e646daaea..ee0407f9b 100644
--- a/lualib/lua_scanners/sophos.lua
+++ b/lualib/lua_scanners/sophos.lua
@@ -123,6 +123,7 @@ local function sophos_check(task, content, digest, rule)
         lua_util.debugm(rule.name, task,
             '%s [%s]: got reply: %s', rule['symbol'], rule['type'], data)
         local vname = string.match(data, 'VIRUS (%S+) ')
+        local cached
         if vname then
           common.yield_result(task, rule, vname)
           common.save_cache(task, digest, rule, vname)
@@ -134,13 +135,14 @@ local function sophos_check(task, content, digest, rule)
               lua_util.debugm(rule.name, task,
                   '%s: message or mime_part is clean', rule.log_prefix)
             end
-            common.save_cache(task, digest, rule, 'OK')
+            cached = 'OK'
             -- not finished - continue
           elseif string.find(data, 'ACC') or string.find(data, 'OK SSSP') then
             conn:add_read(sophos_callback)
           elseif string.find(data, 'FAIL 0212') then
             rspamd_logger.warnx(task, 'Message is encrypted (FAIL 0212): %s', data)
             common.yield_result(task, rule, 'SAVDI: Message is encrypted (FAIL 0212)', 0.0, 'fail')
+            cached = 'ENCRYPTED'
           elseif string.find(data, 'REJ 4') then
             rspamd_logger.warnx(task, 'Message is oversized (REJ 4): %s', data)
             common.yield_result(task, rule, 'SAVDI: Message oversized (REJ 4)', 0.0, 'fail')
@@ -152,7 +154,9 @@ local function sophos_check(task, content, digest, rule)
             rspamd_logger.errx(task, 'unhandled response: %s', data)
             common.yield_result(task, rule, 'unhandled response: ' .. data, 0.0, 'fail')
           end
-
+          if cached then
+            common.save_cache(task, digest, rule, cached)
+          end
         end
       end
     end
-- 
2.39.5