commit 6614b86: [Feature] Antivirus: Handle encrypted files specially

Vsevolod Stakhov vsevolod at highsecure.ru
Tue Apr 9 12:21:03 UTC 2019 

Author: Vsevolod Stakhov
Date: 2019-04-09 13:20:16 +0100
URL: https://github.com/rspamd/rspamd/commit/6614b861a4b0ad518fae972ed509c7d8a983ebf7 (HEAD -> master)

[Feature] Antivirus: Handle encrypted files specially

---
 lualib/lua_scanners/clamav.lua |  2 +-
 lualib/lua_scanners/common.lua |  5 +++++
 src/plugins/lua/antivirus.lua  | 12 ++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua
index b3a1b20f2..1ff3cdc4f 100644
--- a/lualib/lua_scanners/clamav.lua
+++ b/lualib/lua_scanners/clamav.lua
@@ -138,7 +138,7 @@ local function clamav_check(task, content, digest, rule)
           local vname = string.match(data, 'stream: (.+) FOUND')
           if string.find(vname, '^Heuristics%.Encrypted') then
             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
-            common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'fail')
+            common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
           elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
             rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
             common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
diff --git a/lualib/lua_scanners/common.lua b/lualib/lua_scanners/common.lua
index 9bf2adf44..f35ee372d 100644
--- a/lualib/lua_scanners/common.lua
+++ b/lualib/lua_scanners/common.lua
@@ -79,6 +79,11 @@ local function yield_result(task, rule, vname, dyn_weight, is_fail)
     symbol = rule.symbol_fail
     threat_info = "FAILED with error"
     dyn_weight = 0.0
+  elseif is_fail == 'encrypted' then
+    patterns = rule.patterns
+    symbol = rule.symbol_encrypted
+    threat_info = "Scan has returned that input was encrypted"
+    dyn_weight = 1.0
   end
 
   if type(vname) == 'string' then
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 68dcedb64..70549719f 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -88,6 +88,10 @@ local function add_antivirus_rule(sym, opts)
     opts.symbol_fail = opts.symbol .. '_FAIL'
   end
 
+  if not opts.symbol_encrypted then
+    opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
+  end
+
   -- WORKAROUND for deprecated attachments_only
   if opts.attachments_only ~= nil then
     opts.scan_mime_parts = opts.attachments_only
@@ -99,6 +103,7 @@ local function add_antivirus_rule(sym, opts)
   local rule = cfg.configure(opts)
   rule.type = opts.type
   rule.symbol_fail = opts.symbol_fail
+  rule.symbol_encrypted = opts.symbol_encrypted
   rule.redis_params = redis_params
 
   if not rule then
@@ -158,6 +163,13 @@ if opts and type(opts) == 'table' then
           score = 0.0,
           group = N
         })
+        rspamd_config:register_symbol({
+          type = 'virtual',
+          name = m['symbol_encrypted'],
+          parent = id,
+          score = 0.0,
+          group = N
+        })
         has_valid = true
         if type(m['patterns']) == 'table' then
           if m['patterns'][1] then

More information about the Commits mailing list