commit e45b99b: [Minor] lua_scanners - adopt excrypted / macro support

Carsten Rosenberg c.rosenberg at heinlein-support.de
Thu Oct 10 11:49:07 UTC 2019 

Author: Carsten Rosenberg
Date: 2019-10-08 21:00:31 +0200
URL: https://github.com/rspamd/rspamd/commit/e45b99bdb699922e4558b2ff28ea5f85a8968d93

[Minor] lua_scanners - adopt excrypted / macro support

---
 lualib/lua_scanners/clamav.lua        |  4 ++++
 lualib/lua_scanners/oletools.lua      |  7 ++++++-
 src/plugins/lua/antivirus.lua         |  1 -
 src/plugins/lua/external_services.lua | 26 +++++++++++++++++++++++---
 4 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua
index f95f96d92..2862ce025 100644
--- a/lualib/lua_scanners/clamav.lua
+++ b/lualib/lua_scanners/clamav.lua
@@ -140,6 +140,10 @@ local function clamav_check(task, content, digest, rule)
             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
             common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
             cached = 'encrypted'
+          elseif string.find(vname, '^Heuristics%.OLE2%.ContainsMacros') then
+            rspamd_logger.errx(task, '%s: ClamAV Found an OLE2 Office Macro', rule.log_prefix)
+            common.yield_result(task, rule, vname, 0.0, 'macro')
+          elseif vname then
           elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
             rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
             common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index 4bdf7747d..8474a1847 100644
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -184,6 +184,11 @@ local function oletools_check(task, content, digest, rule)
             end
           elseif result[3]['return_code'] == 9 then
             rspamd_logger.warnx(task, '%s: File is encrypted.', rule.log_prefix)
+            common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'encrypted')
+            common.save_cache(task, digest, rule, 'encrypted')
+          elseif result[3]['return_code'] == 5 then
+            rspamd_logger.warnx(task, '%s: olefy could not open the file - error: %s', rule.log_prefix,
+                result[2]['message'])
             common.yield_result(task, rule, 'failed - err: ' .. oletools_rc[result[3]['return_code']], 0.0, 'fail')
           elseif result[3]['return_code'] > 6 then
             rspamd_logger.errx(task, '%s: Error Returned: %s',
@@ -196,7 +201,7 @@ local function oletools_check(task, content, digest, rule)
                 rule.log_prefix, result[2]['message'])
             oletools_requery(oletools_rc[result[3]['return_code']])
           elseif type(result[2]['analysis']) == 'table' and #result[2]['analysis'] == 0
-            and #result[2]['macros'] == 0 then
+              and #result[2]['macros'] == 0 then
             rspamd_logger.warnx(task, '%s: maybe unhandled python or oletools error', rule.log_prefix)
             common.yield_result(task, rule, 'oletools unhandled error', 0.0, 'fail')
           elseif type(result[2]['analysis']) ~= 'table' and #result[2]['macros'] == 0 then
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 8d84887d0..4c89526a5 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -87,7 +87,6 @@ local function add_antivirus_rule(sym, opts)
   if not opts.symbol_fail then
     opts.symbol_fail = opts.symbol .. '_FAIL'
   end
-
   if not opts.symbol_encrypted then
     opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
   end
diff --git a/src/plugins/lua/external_services.lua b/src/plugins/lua/external_services.lua
index 4858979e1..4e0ee29c9 100644
--- a/src/plugins/lua/external_services.lua
+++ b/src/plugins/lua/external_services.lua
@@ -136,8 +136,14 @@ local function add_scanner_rule(sym, opts)
 
   rule.type = opts.type
 
-  if not rule.symbol_fail then
-    rule.symbol_fail = opts.symbol .. '_FAIL'
+  if not opts.symbol_fail then
+    opts.symbol_fail = opts.symbol .. '_FAIL'
+  end
+  if not opts.symbol_encrypted then
+    opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
+  end
+  if not opts.symbol_macro then
+    opts.symbol_macro = opts.symbol .. '_MACRO'
   end
 
   rule.redis_params = redis_params
@@ -215,12 +221,26 @@ if opts and type(opts) == 'table' then
         local id = rspamd_config:register_symbol(t)
 
         rspamd_config:register_symbol({
-          type = 'virtual,nostat',
+          type = 'virtual',
           name = m['symbol_fail'],
           parent = id,
           score = 0.0,
           group = N
         })
+        rspamd_config:register_symbol({
+          type = 'virtual',
+          name = m['symbol_encrypted'],
+          parent = id,
+          score = 0.0,
+          group = N
+        })
+        rspamd_config:register_symbol({
+          type = 'virtual',
+          name = m['symbol_macro'],
+          parent = id,
+          score = 0.0,
+          group = N
+        })
         has_valid = true
         if type(m['patterns']) == 'table' then
           if m['patterns'][1] then

More information about the Commits mailing list