From d41e039af356b68e5914528a4bc78b6be3d9b21c Mon Sep 17 00:00:00 2001 From: Carsten Rosenberg Date: Tue, 2 Nov 2021 20:09:19 +0100 Subject: [PATCH] [Minor] lua_scanners - icap - update comments --- lualib/lua_scanners/icap.lua | 91 ++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 35 deletions(-) diff --git a/lualib/lua_scanners/icap.lua b/lualib/lua_scanners/icap.lua index 4f475eaaa..899855059 100644 --- a/lualib/lua_scanners/icap.lua +++ b/lualib/lua_scanners/icap.lua @@ -19,13 +19,14 @@ limitations under the License. @module icap This module contains icap access functions. Currently tested with - - Symantec (Rspam <3.2) - - Sophos Savdi - - ClamAV/c-icap - - Kaspersky Web Traffic Security - - Trend Micro IWSVA + - C-ICAP Squidclamav / echo - F-Secure Internet Gatekeeper + - Kaspersky Web Traffic Security - McAfee Web Gateway + - Sophos Savdi + - Symantec (Rspamd <3.2, >=3.2 untested) + - Trend Micro IWSVA + - Trend Micro Web Gateway @TODO - Preview / Continue @@ -50,19 +51,26 @@ F-Secure Internet Gatekeeper example: Kaspersky Web Traffic Security example: scheme = "av/respmod"; + x_client_header = true; McAfee Web Gateway 11 (Headers must be activated with personal extra Rules) scheme = "respmod"; x_client_header = true; Sophos SAVDI example: - scheme as configured in savdi.conf + # scheme as configured in savdi.conf (name option in service section) + scheme = "respmod"; Symantec example: scheme = "avscan"; -Trend Micro IWSVA example: +Trend Micro IWSVA example (X-Virus-ID/X-Infection-Found headers must be activated): scheme = "avscan"; + x_client_header = true; + +Trend Micro Web Gateway example (X-Virus-ID/X-Infection-Found headers must be activated): + scheme = "interscan"; + x_client_header = true; ]] -- @@ -328,48 +336,55 @@ local function icap_check(task, content, digest, rule, maybe_part) @ToDo: handle type in response Generic Strings: - X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC; - X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader; + icap: X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC; + icap: X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader; Symantec String: - X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation - X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation; + icap: X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation + icap: X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation; Sophos Strings: - X-Virus-ID: Troj/DocDl-OYC + icap: X-Virus-ID: Troj/DocDl-OYC + http: X-Blocked: Virus found during virus scan + http: X-Blocked-By: Sophos Anti-Virus Kaspersky Web Traffic Security Strings: - X-Virus-ID: HEUR:Backdoor.Java.QRat.gen - X-Response-Info: blocked - X-Virus-ID: no threats - X-Response-Info: blocked - X-Response-Info: passed - - Trend Micro IWSVA Strings: - X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1 - X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1; + icap: X-Virus-ID: HEUR:Backdoor.Java.QRat.gen + icap: X-Response-Info: blocked + icap: X-Virus-ID: no threats + icap: X-Response-Info: blocked + icap: X-Response-Info: passed + http: HTTP/1.1 403 Forbidden + + Trend Micro Strings: + icap: X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1 + icap: X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1; + http: HTTP/1.1 403 Forbidden (TMWS Blocked) + http: HTTP/1.1 403 Forbidden F-Secure Internet Gatekeeper Strings: - X-FSecure-Scan-Result: infected - X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203" - X-FSecure-Infected-Filename: "virus.doc" + icap: X-FSecure-Scan-Result: infected + icap: X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203" + icap: X-FSecure-Infected-Filename: "virus.doc" ESET File Security for Linux 7.0 - X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA; - X-Virus-ID: Trojaner - X-Response-Info: Blocked + icap: X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA; + icap: X-Virus-ID: Trojaner + icap: X-Response-Info: Blocked McAfee Web Gateway 11 (Headers must be activated with personal extra Rules) - X-Virus-ID: EICAR test file - X-Media-Type: text/plain - X-Block-Result: 80 - X-Block-Reason: Malware found - X-Block-Reason: Archive not supported - X-Block-Reason: Media Type (Block List) + icap: X-Virus-ID: EICAR test file + icap: X-Media-Type: text/plain + icap: X-Block-Result: 80 + icap: X-Block-Reason: Malware found + icap: X-Block-Reason: Archive not supported + icap: X-Block-Reason: Media Type (Block List) + http: HTTP/1.0 403 VirusFound C-ICAP Squidclamav - X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL; - X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL + icap/http: X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL; + icap/http: X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL + http: HTTP/1.0 307 Temporary Redirect ]] -- -- Generic ICAP Headers @@ -504,6 +519,12 @@ local function icap_check(task, content, digest, rule, maybe_part) ICAP/1.0 539 Aborted - No AV scanning license SquidClamAV/C-ICAP: ICAP/1.0 500 Server error + Eset: + ICAP/1.0 405 Forbidden + TrendMicro: + ICAP/1.0 400 Bad request + McAfee: + ICAP/1.0 418 Bad composition ]]-- rspamd_logger.errx(task, '%s: ICAP ERROR: %s', rule.log_prefix, icap_headers.icap) common.yield_result(task, rule, icap_headers.icap, 0.0, -- 2.39.5