Carsten Rosenberg
2 years ago
1 changed files with 56 additions and 35 deletions
+ 56
- 35
lualib/lua_scanners/icap.lua
View File
| @@ -19,13 +19,14 @@ limitations under the License. | |||
| @module icap | |||
| This module contains icap access functions. | |||
| Currently tested with | |||
| - Symantec (Rspam <3.2) | |||
| - Sophos Savdi | |||
| - ClamAV/c-icap | |||
| - Kaspersky Web Traffic Security | |||
| - Trend Micro IWSVA | |||
| - C-ICAP Squidclamav / echo | |||
| - F-Secure Internet Gatekeeper | |||
| - Kaspersky Web Traffic Security | |||
| - McAfee Web Gateway | |||
| - Sophos Savdi | |||
| - Symantec (Rspamd <3.2, >=3.2 untested) | |||
| - Trend Micro IWSVA | |||
| - Trend Micro Web Gateway | |||
| @TODO | |||
| - Preview / Continue | |||
| @@ -50,19 +51,26 @@ F-Secure Internet Gatekeeper example: | |||
| Kaspersky Web Traffic Security example: | |||
| scheme = "av/respmod"; | |||
| x_client_header = true; | |||
| McAfee Web Gateway 11 (Headers must be activated with personal extra Rules) | |||
| scheme = "respmod"; | |||
| x_client_header = true; | |||
| Sophos SAVDI example: | |||
| scheme as configured in savdi.conf | |||
| # scheme as configured in savdi.conf (name option in service section) | |||
| scheme = "respmod"; | |||
| Symantec example: | |||
| scheme = "avscan"; | |||
| Trend Micro IWSVA example: | |||
| Trend Micro IWSVA example (X-Virus-ID/X-Infection-Found headers must be activated): | |||
| scheme = "avscan"; | |||
| x_client_header = true; | |||
| Trend Micro Web Gateway example (X-Virus-ID/X-Infection-Found headers must be activated): | |||
| scheme = "interscan"; | |||
| x_client_header = true; | |||
| ]] -- | |||
| @@ -328,48 +336,55 @@ local function icap_check(task, content, digest, rule, maybe_part) | |||
| @ToDo: handle type in response | |||
| Generic Strings: | |||
| X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC; | |||
| X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader; | |||
| icap: X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC; | |||
| icap: X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader; | |||
| Symantec String: | |||
| X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation | |||
| X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation; | |||
| icap: X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation | |||
| icap: X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation; | |||
| Sophos Strings: | |||
| X-Virus-ID: Troj/DocDl-OYC | |||
| icap: X-Virus-ID: Troj/DocDl-OYC | |||
| http: X-Blocked: Virus found during virus scan | |||
| http: X-Blocked-By: Sophos Anti-Virus | |||
| Kaspersky Web Traffic Security Strings: | |||
| X-Virus-ID: HEUR:Backdoor.Java.QRat.gen | |||
| X-Response-Info: blocked | |||
| X-Virus-ID: no threats | |||
| X-Response-Info: blocked | |||
| X-Response-Info: passed | |||
| Trend Micro IWSVA Strings: | |||
| X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1 | |||
| X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1; | |||
| icap: X-Virus-ID: HEUR:Backdoor.Java.QRat.gen | |||
| icap: X-Response-Info: blocked | |||
| icap: X-Virus-ID: no threats | |||
| icap: X-Response-Info: blocked | |||
| icap: X-Response-Info: passed | |||
| http: HTTP/1.1 403 Forbidden | |||
| Trend Micro Strings: | |||
| icap: X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1 | |||
| icap: X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1; | |||
| http: HTTP/1.1 403 Forbidden (TMWS Blocked) | |||
| http: HTTP/1.1 403 Forbidden | |||
| F-Secure Internet Gatekeeper Strings: | |||
| X-FSecure-Scan-Result: infected | |||
| X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203" | |||
| X-FSecure-Infected-Filename: "virus.doc" | |||
| icap: X-FSecure-Scan-Result: infected | |||
| icap: X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203" | |||
| icap: X-FSecure-Infected-Filename: "virus.doc" | |||
| ESET File Security for Linux 7.0 | |||
| X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA; | |||
| X-Virus-ID: Trojaner | |||
| X-Response-Info: Blocked | |||
| icap: X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA; | |||
| icap: X-Virus-ID: Trojaner | |||
| icap: X-Response-Info: Blocked | |||
| McAfee Web Gateway 11 (Headers must be activated with personal extra Rules) | |||
| X-Virus-ID: EICAR test file | |||
| X-Media-Type: text/plain | |||
| X-Block-Result: 80 | |||
| X-Block-Reason: Malware found | |||
| X-Block-Reason: Archive not supported | |||
| X-Block-Reason: Media Type (Block List) | |||
| icap: X-Virus-ID: EICAR test file | |||
| icap: X-Media-Type: text/plain | |||
| icap: X-Block-Result: 80 | |||
| icap: X-Block-Reason: Malware found | |||
| icap: X-Block-Reason: Archive not supported | |||
| icap: X-Block-Reason: Media Type (Block List) | |||
| http: HTTP/1.0 403 VirusFound | |||
| C-ICAP Squidclamav | |||
| X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL; | |||
| X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL | |||
| icap/http: X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL; | |||
| icap/http: X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL | |||
| http: HTTP/1.0 307 Temporary Redirect | |||
| ]] -- | |||
| -- Generic ICAP Headers | |||
| @@ -504,6 +519,12 @@ local function icap_check(task, content, digest, rule, maybe_part) | |||
| ICAP/1.0 539 Aborted - No AV scanning license | |||
| SquidClamAV/C-ICAP: | |||
| ICAP/1.0 500 Server error | |||
| Eset: | |||
| ICAP/1.0 405 Forbidden | |||
| TrendMicro: | |||
| ICAP/1.0 400 Bad request | |||
| McAfee: | |||
| ICAP/1.0 418 Bad composition | |||
| ]]-- | |||
| rspamd_logger.errx(task, '%s: ICAP ERROR: %s', rule.log_prefix, icap_headers.icap) | |||
| common.yield_result(task, rule, icap_headers.icap, 0.0, | |||
Loading…