commit d41e039: [Minor] lua_scanners - icap - update comments

Carsten Rosenberg c.rosenberg at heinlein-support.de
Thu Nov 4 20:28:07 UTC 2021


Author: Carsten Rosenberg
Date: 2021-11-02 20:09:19 +0100
URL: https://github.com/rspamd/rspamd/commit/d41e039af356b68e5914528a4bc78b6be3d9b21c

[Minor] lua_scanners - icap - update comments

---
 lualib/lua_scanners/icap.lua | 91 +++++++++++++++++++++++++++-----------------
 1 file changed, 56 insertions(+), 35 deletions(-)

diff --git a/lualib/lua_scanners/icap.lua b/lualib/lua_scanners/icap.lua
index 4f475eaaa..899855059 100644
--- a/lualib/lua_scanners/icap.lua
+++ b/lualib/lua_scanners/icap.lua
@@ -19,13 +19,14 @@ limitations under the License.
 @module icap
 This module contains icap access functions.
 Currently tested with
- - Symantec (Rspam <3.2)
- - Sophos Savdi
- - ClamAV/c-icap
- - Kaspersky Web Traffic Security
- - Trend Micro IWSVA
+ - C-ICAP Squidclamav / echo
  - F-Secure Internet Gatekeeper
+ - Kaspersky Web Traffic Security
  - McAfee Web Gateway
+ - Sophos Savdi
+ - Symantec (Rspamd <3.2, >=3.2 untested)
+ - Trend Micro IWSVA
+ - Trend Micro Web Gateway
 
 @TODO
  - Preview / Continue
@@ -50,19 +51,26 @@ F-Secure Internet Gatekeeper example:
 
 Kaspersky Web Traffic Security example:
   scheme = "av/respmod";
+  x_client_header = true;
 
 McAfee Web Gateway 11 (Headers must be activated with personal extra Rules)
   scheme = "respmod";
   x_client_header = true;
 
 Sophos SAVDI example:
-  scheme as configured in savdi.conf
+  # scheme as configured in savdi.conf (name option in service section)
+  scheme = "respmod";
 
 Symantec example:
   scheme = "avscan";
 
-Trend Micro IWSVA example:
+Trend Micro IWSVA example (X-Virus-ID/X-Infection-Found headers must be activated):
   scheme = "avscan";
+  x_client_header = true;
+
+Trend Micro Web Gateway example (X-Virus-ID/X-Infection-Found headers must be activated):
+  scheme = "interscan";
+  x_client_header = true;
 ]] --
 
 
@@ -328,48 +336,55 @@ local function icap_check(task, content, digest, rule, maybe_part)
         @ToDo: handle type in response
 
         Generic Strings:
-          X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC;
-          X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader;
+          icap: X-Infection-Found: Type=0; Resolution=2; Threat=Troj/DocDl-OYC;
+          icap: X-Infection-Found: Type=0; Resolution=2; Threat=W97M.Downloader;
 
         Symantec String:
-          X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation
-          X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation;
+          icap: X-Infection-Found: Type=2; Resolution=2; Threat=Container size violation
+          icap: X-Infection-Found: Type=2; Resolution=2; Threat=Encrypted container violation;
 
         Sophos Strings:
-          X-Virus-ID: Troj/DocDl-OYC
+          icap: X-Virus-ID: Troj/DocDl-OYC
+          http: X-Blocked: Virus found during virus scan
+          http: X-Blocked-By: Sophos Anti-Virus
 
         Kaspersky Web Traffic Security Strings:
-          X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
-          X-Response-Info: blocked
-          X-Virus-ID: no threats
-          X-Response-Info: blocked
-          X-Response-Info: passed
-
-        Trend Micro IWSVA Strings:
-          X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1
-          X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1;
+          icap: X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
+          icap: X-Response-Info: blocked
+          icap: X-Virus-ID: no threats
+          icap: X-Response-Info: blocked
+          icap: X-Response-Info: passed
+          http: HTTP/1.1 403 Forbidden
+
+        Trend Micro Strings:
+          icap: X-Virus-ID: Trojan.W97M.POWLOAD.SMTHF1
+          icap: X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.W97M.POWLOAD.SMTHF1;
+          http: HTTP/1.1 403 Forbidden (TMWS Blocked)
+          http: HTTP/1.1 403 Forbidden
 
         F-Secure Internet Gatekeeper Strings:
-          X-FSecure-Scan-Result: infected
-          X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203"
-          X-FSecure-Infected-Filename: "virus.doc"
+          icap: X-FSecure-Scan-Result: infected
+          icap: X-FSecure-Infection-Name: "Malware.W97M/Agent.32584203"
+          icap: X-FSecure-Infected-Filename: "virus.doc"
 
         ESET File Security for Linux 7.0
-          X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA;
-          X-Virus-ID: Trojaner
-          X-Response-Info: Blocked
+          icap: X-Infection-Found: Type=0; Resolution=0; Threat=VBA/TrojanDownloader.Agent.JOA;
+          icap: X-Virus-ID: Trojaner
+          icap: X-Response-Info: Blocked
 
         McAfee Web Gateway 11 (Headers must be activated with personal extra Rules)
-          X-Virus-ID: EICAR test file
-          X-Media-Type: text/plain
-          X-Block-Result: 80
-          X-Block-Reason: Malware found
-          X-Block-Reason: Archive not supported
-          X-Block-Reason: Media Type (Block List)
+          icap: X-Virus-ID: EICAR test file
+          icap: X-Media-Type: text/plain
+          icap: X-Block-Result: 80
+          icap: X-Block-Reason: Malware found
+          icap: X-Block-Reason: Archive not supported
+          icap: X-Block-Reason: Media Type (Block List)
+          http: HTTP/1.0 403 VirusFound
 
         C-ICAP Squidclamav
-          X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL;
-          X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL
+          icap/http: X-Infection-Found: Type=0; Resolution=2; Threat={HEX}EICAR.TEST.3.UNOFFICIAL;
+          icap/http: X-Virus-ID: {HEX}EICAR.TEST.3.UNOFFICIAL
+          http: HTTP/1.0 307 Temporary Redirect
         ]] --
 
         -- Generic ICAP Headers
@@ -504,6 +519,12 @@ local function icap_check(task, content, digest, rule, maybe_part)
               ICAP/1.0 539 Aborted - No AV scanning license
             SquidClamAV/C-ICAP:
               ICAP/1.0 500 Server error
+            Eset:
+              ICAP/1.0 405 Forbidden
+            TrendMicro:
+              ICAP/1.0 400 Bad request
+            McAfee:
+              ICAP/1.0 418 Bad composition
             ]]--
             rspamd_logger.errx(task, '%s: ICAP ERROR: %s', rule.log_prefix, icap_headers.icap)
             common.yield_result(task, rule, icap_headers.icap, 0.0,


More information about the Commits mailing list