commit 51eefb6: [Feature] Antivirus: Allow to set fake eicar patterns for testing AV engines

Vsevolod Stakhov vsevolod at highsecure.ru
Fri Sep 17 15:49:04 UTC 2021


Author: Vsevolod Stakhov
Date: 2021-09-17 16:43:32 +0100
URL: https://github.com/rspamd/rspamd/commit/51eefb68d58a68fcffc61e9d3893769f21a50236 (HEAD -> master)

[Feature] Antivirus: Allow to set fake eicar patterns for testing AV engines

---
 src/plugins/lua/antivirus.lua | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 56bd4b520..2ad5dc029 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -16,6 +16,7 @@ limitations under the License.
 
 local rspamd_logger = require "rspamd_logger"
 local lua_util = require "lua_util"
+local rspamd_util = require "rspamd_util"
 local lua_redis = require "lua_redis"
 local fun = require "fun"
 local lua_antivirus = require("lua_scanners").filter('antivirus')
@@ -63,12 +64,19 @@ antivirus {
     }
     # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
     whitelist = "/etc/rspamd/antivirus.wl";
+    # Replace content that exactly matches the following string to the EICAR pattern
+    # Useful for E2E testing when another party removes/blocks EICAR attachments
+    #eicar_fake_pattern = 'testpatterneicar';
   }
 }
 ]])
   return
 end
 
+-- Encode as base32 in the source to avoid crappy stuff
+local eicar_pattern = rspamd_util.decode_base32(
+    [[akp6woykfbonrepmwbzyfpbmibpone3mj3pgwbffzj9e1nfjdkorisckwkohrnfe1nt41y3jwk1cirjki4w4nkieuni4ndfjcktnn1yjmb1wn]]
+)
 
 local function add_antivirus_rule(sym, opts)
   if not opts.type then
@@ -135,7 +143,21 @@ local function add_antivirus_rule(sym, opts)
 
       fun.each(function(p)
         local content = p:get_content()
-        if content and #content > 0 then
+        local clen = #content
+        if content and clen > 0 then
+          if opts.eicar_fake_pattern then
+            if type(opts.eicar_fake_pattern) == 'string' then
+              -- Convert it to Rspamd text
+              local rspamd_text = require "rspamd_text"
+              opts.eicar_fake_pattern = rspamd_text.fromstring(opts.eicar_fake_pattern)
+            end
+
+            if clen == #opts.eicar_fake_pattern and content == opts.eicar_fake_pattern then
+              rspamd_logger.infox(task, 'found eicar fake replacement part in the part (filename="%s")',
+                p:get_filename())
+              content = eicar_pattern
+            end
+          end
           cfg.check(task, content, p:get_digest(), rule, p)
         end
       end, common.check_parts_match(task, rule))


More information about the Commits mailing list