@@ -140,6 +140,10 @@ local function clamav_check(task, content, digest, rule) | |||
rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix) | |||
common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted') | |||
cached = 'encrypted' | |||
elseif string.find(vname, '^Heuristics%.OLE2%.ContainsMacros') then | |||
rspamd_logger.errx(task, '%s: ClamAV Found an OLE2 Office Macro', rule.log_prefix) | |||
common.yield_result(task, rule, vname, 0.0, 'macro') | |||
elseif vname then | |||
elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then | |||
rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix) | |||
common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail') |
@@ -184,6 +184,11 @@ local function oletools_check(task, content, digest, rule) | |||
end | |||
elseif result[3]['return_code'] == 9 then | |||
rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix) | |||
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'encrypted') | |||
common.save_cache(task, digest, rule, 'encrypted') | |||
elseif result[3]['return_code'] == 5 then | |||
rspamd_logger.warnx(task, '%s: olefy could not open the file - error: %s', rule.log_prefix, | |||
result[2]['message']) | |||
common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail') | |||
elseif result[3]['return_code'] > 6 then | |||
rspamd_logger.errx(task, '%s: Error Returned: %s', | |||
@@ -196,7 +201,7 @@ local function oletools_check(task, content, digest, rule) | |||
rule.log_prefix, result[2]['message']) | |||
oletools_requery(oletools_rc[result[3]['return_code']]) | |||
elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0 | |||
and #result[2]['macros'] == 0 then | |||
and #result[2]['macros'] == 0 then | |||
rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix) | |||
common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail') | |||
elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then |
@@ -87,7 +87,6 @@ local function add_antivirus_rule(sym, opts) | |||
if not opts.symbol_fail then | |||
opts.symbol_fail = opts.symbol .. '_FAIL' | |||
end | |||
if not opts.symbol_encrypted then | |||
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED' | |||
end |
@@ -136,8 +136,14 @@ local function add_scanner_rule(sym, opts) | |||
rule.type = opts.type | |||
if not rule.symbol_fail then | |||
rule.symbol_fail = opts.symbol .. '_FAIL' | |||
if not opts.symbol_fail then | |||
opts.symbol_fail = opts.symbol .. '_FAIL' | |||
end | |||
if not opts.symbol_encrypted then | |||
opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED' | |||
end | |||
if not opts.symbol_macro then | |||
opts.symbol_macro = opts.symbol .. '_MACRO' | |||
end | |||
rule.redis_params = redis_params | |||
@@ -215,12 +221,26 @@ if opts and type(opts) == 'table' then | |||
local id = rspamd_config:register_symbol(t) | |||
rspamd_config:register_symbol({ | |||
type = 'virtual,nostat', | |||
type = 'virtual', | |||
name = m['symbol_fail'], | |||
parent = id, | |||
score = 0.0, | |||
group = N | |||
}) | |||
rspamd_config:register_symbol({ | |||
type = 'virtual', | |||
name = m['symbol_encrypted'], | |||
parent = id, | |||
score = 0.0, | |||
group = N | |||
}) | |||
rspamd_config:register_symbol({ | |||
type = 'virtual', | |||
name = m['symbol_macro'], | |||
parent = id, | |||
score = 0.0, | |||
group = N | |||
}) | |||
has_valid = true | |||
if type(m['patterns']) == 'table' then | |||
if m['patterns'][1] then |