From 19598026fd121cc6b9aa2bd4eda14b5ebf616866 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 8 Oct 2019 11:42:44 +0100
Subject: [PATCH] [Feature] Improve AV results caching

---
 lualib/lua_scanners/common.lua | 18 +++++++++++++++---
 src/plugins/lua/antivirus.lua  | 10 ++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/lualib/lua_scanners/common.lua b/lualib/lua_scanners/common.lua
index 103fce142..d46dadab5 100644
--- a/lualib/lua_scanners/common.lua
+++ b/lualib/lua_scanners/common.lua
@@ -84,6 +84,11 @@ local function yield_result(task, rule, vname, dyn_weight, is_fail)
     symbol = rule.symbol_encrypted
     threat_info = "Scan has returned that input was encrypted"
     dyn_weight = 1.0
+  elseif is_fail == 'macro' then
+    patterns = rule.patterns
+    symbol = rule.symbol_macro
+    threat_info = "Scan has returned that input contains macros"
+    dyn_weight = 1.0
   end
 
   if type(vname) == 'string' then
@@ -198,9 +203,16 @@ local function need_check(task, content, rule, digest, fn)
       local threat_string = lua_util.str_split(data[1], '\v')
       local score = data[2] or rule.default_score
       if threat_string[1] ~= 'OK' then
-        lua_util.debugm(rule.name, task, '%s: got cached threat result for %s: %s - score: %s',
-          rule.log_prefix, key, threat_string[1], score)
-        yield_result(task, rule, threat_string, score)
+        if threat_string[1] == 'MACRO' then
+          yield_result(task, rule, 'File contains macros', 0.0, 'macro')
+        elseif threat_string[1] == 'ENCRYPTED' then
+          yield_result(task, rule, 'File is encrypted', 0.0, 'encrypted')
+        else
+          lua_util.debugm(rule.name, task, '%s: got cached threat result for %s: %s - score: %s',
+              rule.log_prefix, key, threat_string[1], score)
+          yield_result(task, rule, threat_string, score)
+        end
+
       else
         lua_util.debugm(rule.name, task, '%s: got cached negative result for %s: %s',
           rule.log_prefix, key, threat_string[1])
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index dbc235eeb..8d84887d0 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -91,6 +91,9 @@ local function add_antivirus_rule(sym, opts)
   if not opts.symbol_encrypted then
     opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
   end
+  if not opts.symbol_macro then
+    opts.symbol_macro = opts.symbol .. '_MACRO'
+  end
 
   -- WORKAROUND for deprecated attachments_only
   if opts.attachments_only ~= nil then
@@ -180,6 +183,13 @@ if opts and type(opts) == 'table' then
           score = 0.0,
           group = N
         })
+        rspamd_config:register_symbol({
+          type = 'virtual',
+          name = m['symbol_macro'],
+          parent = id,
+          score = 0.0,
+          group = N
+        })
         has_valid = true
         if type(m['patterns']) == 'table' then
           if m['patterns'][1] then
-- 
2.39.5