commit 3baee22: [Feature] Antivirus: Add avast support

Vsevolod Stakhov vsevolod at highsecure.ru
Sat Feb 1 18:14:10 UTC 2020


Author: Vsevolod Stakhov
Date: 2020-02-01 11:33:48 +0000
URL: https://github.com/rspamd/rspamd/commit/3baee22475cd021154e72baf17727606f6c22f0b

[Feature] Antivirus: Add avast support

---
 lualib/lua_scanners/avast.lua | 292 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 292 insertions(+)

diff --git a/lualib/lua_scanners/avast.lua b/lualib/lua_scanners/avast.lua
new file mode 100644
index 000000000..547d80ca1
--- /dev/null
+++ b/lualib/lua_scanners/avast.lua
@@ -0,0 +1,292 @@
+--[[
+Copyright (c) 2020, Vsevolod Stakhov <vsevolod at highsecure.ru>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+]]--
+
+--[[[
+-- @module avast
+-- This module contains avast av access functions
+--]]
+
+local lua_util = require "lua_util"
+local rspamd_util = require "rspamd_util"
+local tcp = require "rspamd_tcp"
+local upstream_list = require "rspamd_upstream_list"
+local rspamd_regexp = require "rspamd_regexp"
+local rspamd_logger = require "rspamd_logger"
+local common = require "lua_scanners/common"
+
+local N = "avast"
+
+local default_message = '${SCANNER}: virus found: "${VIRUS}"'
+
+local function avast_config(opts)
+  local avast_conf = {
+    name = N,
+    scan_mime_parts = true,
+    scan_text_mime = false,
+    scan_image_mime = false,
+    timeout = 4.0, -- FIXME: this will break task_timeout!
+    log_clean = false,
+    detection_category = "virus",
+    retransmits = 1,
+    servers = nil, -- e.g. /var/run/avast/scan.sock
+    cache_expire = 3600, -- expire redis in one hour
+    message = default_message,
+  }
+
+  avast_conf = lua_util.override_defaults(avast_conf, opts)
+
+  if not avast_conf.prefix then
+    avast_conf.prefix = 'rs_' .. avast_conf.name .. '_'
+  end
+
+  if not avast_conf.log_prefix then
+    if avast_conf.name:lower() == avast_conf.type:lower() then
+      avast_conf.log_prefix = avast_conf.name
+    else
+      avast_conf.log_prefix = avast_conf.name .. ' (' .. avast_conf.type .. ')'
+    end
+  end
+
+  if not avast_conf['servers'] then
+    rspamd_logger.errx(rspamd_config, 'no servers/unix socket defined')
+
+    return nil
+  end
+
+  avast_conf['upstreams'] = upstream_list.create(rspamd_config,
+      avast_conf['servers'],
+      0)
+
+  if avast_conf['upstreams'] then
+    lua_util.add_debug_alias('antivirus', avast_conf.name)
+    return avast_conf
+  end
+
+  rspamd_logger.errx(rspamd_config, 'cannot parse servers %s',
+      avast_conf['servers'])
+  return nil
+end
+
+local function avast_check(task, content, digest, rule)
+  local function avast_check_uncached ()
+    local upstream = rule.upstreams:get_upstream_round_robin()
+    local addr = upstream:get_addr()
+    local retransmits = rule.retransmits
+    local CRLF = '\r\n'
+
+    -- Common tcp options
+    local tcp_opts = {
+      stop_pattern = CRLF,
+      host = addr:to_string(),
+      port = addr:get_port(),
+      timeout = rule['timeout'],
+      task = task
+    }
+
+    -- Regexps to process reply from avast
+    local clean_re = rspamd_regexp.create_cached(
+        [=[(?!\\)\t\[\+\]]=]
+    )
+    local virus_re = rspamd_regexp.create_cached(
+        [[(?!\\)\t\[L\]\d\.\d\t\d\s(.*)]]
+    )
+    local error_re = rspamd_regexp.create_cached(
+        [[(?!\\)\t\[E\]\d+\.0\tError\s\d+\s(.*)]]
+    )
+
+    -- Used to make a dialog
+    local tcp_conn
+
+    -- Save content in file as avast can work with files only
+    local fname = string.format('%s/%s.avtmp',
+        rule.tmpdir, rspamd_util.random_hex(32))
+    local message_fd = rspamd_util.create_file(fname)
+
+    if not message_fd then
+      rspamd_logger.errx('cannot store file for avast scan: %s', fname)
+      return
+    end
+
+    if type(content) == 'string' then
+      -- Create rspamd_text
+      local rspamd_text = require "rspamd_text"
+      content = rspamd_text.fromstring(content)
+    end
+    content:save_in_file(message_fd)
+
+    -- Ensure file cleanup on task processed
+    task:get_mempool():add_destructor(function()
+      os.remove(fname)
+      rspamd_util.close_file(message_fd)
+    end)
+
+    -- Dialog stages closures
+    local avast_helo_cb
+    local avast_helo_done_cb
+    local avast_scan_cb
+    local avast_scan_done_cb
+
+    -- Utility closures
+    local function maybe_retransmit()
+      if retransmits > 0 then
+        retransmits = retransmits - 1
+      else
+        rspamd_logger.errx(task,
+            '%s [%s]: failed to scan, maximum retransmits exceed',
+            rule['symbol'], rule['type'])
+        common.yield_result(task, rule, 'failed to scan and retransmits exceed',
+            0.0, 'fail')
+
+        return
+      end
+
+      upstream = rule.upstreams:get_upstream_round_robin()
+      addr = upstream:get_addr()
+      tcp_opts.callback = avast_helo_cb
+
+      tcp_conn = tcp.request(tcp_opts)
+
+      if not tcp_conn then
+        rspamd_logger.infox(task, 'cannot create connection to avast server: %s',
+          tostring(addr))
+      end
+    end
+
+    local function no_connection_error(err)
+      if err then
+        if tcp_conn then
+          tcp_conn:close()
+        end
+        rspamd_logger.infox(task, 'failed to write request to avast (%s): %s',
+            tostring(addr), err)
+        maybe_retransmit()
+
+        return false
+      end
+
+      return true
+    end
+
+
+    -- Define callbacks
+    avast_helo_cb = function (merr)
+      -- Called when we have established a connection but not read anything
+      if no_connection_error(merr) then
+        tcp_conn:add_read(avast_helo_done_cb, CRLF)
+      end
+    end
+
+    avast_helo_done_cb = function(merr, mdata)
+      if no_connection_error(merr) then
+        -- Check mdata to ensure that it starts with 220
+        if #mdata > 3 and tostring(mdata:span(1, 3)) == '220' then
+          tcp_conn:add_write(avast_scan_cb, string.format(
+              'SCAN %s%s', fname, CRLF))
+        else
+          rspamd_logger.errx(task, 'Unhandled response: %s', mdata)
+        end
+      end
+    end
+
+    avast_scan_cb = function(merr)
+      -- Called when we have send request to avast and are waiting for reply
+      if no_connection_error(merr) then
+        tcp_conn:add_read(avast_scan_done_cb, CRLF)
+      end
+    end
+
+    avast_scan_done_cb = function(merr, mdata)
+      if no_connection_error(merr) then
+        if #mdata > 4 then
+          local beg = tostring(mdata:span(1, 4))
+
+          if beg == '210' then
+            -- Ignore 210, fire another read
+            tcp_conn:add_read(avast_scan_done_cb, CRLF)
+          elseif beg == '200' then
+            -- Final line
+            upstream:ok()
+            tcp_conn:close()
+          else
+            -- Check line using regular expressions
+            local cached
+            local ret = clean_re:search(mdata, false, true)
+
+            if ret then
+              cached = 'OK'
+              if rule.log_clean then
+                rspamd_logger.infox(task,
+                    '%s [%s]: message or mime_part is clean',
+                    rule.symbol, rule.type)
+              end
+            end
+
+            if not cached then
+              ret = virus_re:search(mdata, false, true)
+
+              if ret then
+                local vname = ret[1][2]
+
+                if vname then
+                  vname = vname:gsub('\\ ', ' '):gsub('\\\\', '\\')
+                  common.yield_result(task, rule, vname)
+                  cached = vname
+                end
+              end
+            end
+
+            if not cached then
+              ret = error_re:search(mdata, false, true)
+
+              if ret then
+                rspamd_logger.errx(task, '%s: error: %s', rule.log_prefix, ret[1][2])
+                common.yield_result(task, rule, 'error:' .. ret[1][2],
+                    0.0, 'fail')
+              end
+            end
+
+            if cached then
+              common.save_cache(task, digest, rule, cached)
+            else
+              -- Unexpected reply
+              rspamd_logger.errx(task, '%s: unexpected reply: %s', rule.log_prefix, mdata)
+            end
+            -- Read more
+            tcp_conn:add_read(avast_scan_done_cb, CRLF)
+          end
+        end
+      end
+    end
+
+    -- Send the real request
+    maybe_retransmit()
+  end
+
+  if common.condition_check_and_continue(task, content, rule, digest, avast_check_uncached) then
+    return
+  else
+    avast_check_uncached()
+  end
+
+end
+
+return {
+  type = 'antivirus',
+  description = 'Avast antivirus',
+  configure = avast_config,
+  check = avast_check,
+  name = N
+}


More information about the Commits mailing list