commit 51eefb6: [Feature] Antivirus: Allow to set fake eicar patterns for testing AV engines
Vsevolod Stakhov
vsevolod at highsecure.ru
Fri Sep 17 15:49:04 UTC 2021
Author: Vsevolod Stakhov
Date: 2021-09-17 16:43:32 +0100
URL: https://github.com/rspamd/rspamd/commit/51eefb68d58a68fcffc61e9d3893769f21a50236 (HEAD -> master)
[Feature] Antivirus: Allow to set fake eicar patterns for testing AV engines
---
src/plugins/lua/antivirus.lua | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 56bd4b520..2ad5dc029 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -16,6 +16,7 @@ limitations under the License.
local rspamd_logger = require "rspamd_logger"
local lua_util = require "lua_util"
+local rspamd_util = require "rspamd_util"
local lua_redis = require "lua_redis"
local fun = require "fun"
local lua_antivirus = require("lua_scanners").filter('antivirus')
@@ -63,12 +64,19 @@ antivirus {
}
# `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
whitelist = "/etc/rspamd/antivirus.wl";
+ # Replace content that exactly matches the following string to the EICAR pattern
+ # Useful for E2E testing when another party removes/blocks EICAR attachments
+ #eicar_fake_pattern = 'testpatterneicar';
}
}
]])
return
end
+-- Encode as base32 in the source to avoid crappy stuff
+local eicar_pattern = rspamd_util.decode_base32(
+ [[akp6woykfbonrepmwbzyfpbmibpone3mj3pgwbffzj9e1nfjdkorisckwkohrnfe1nt41y3jwk1cirjki4w4nkieuni4ndfjcktnn1yjmb1wn]]
+)
local function add_antivirus_rule(sym, opts)
if not opts.type then
@@ -135,7 +143,21 @@ local function add_antivirus_rule(sym, opts)
fun.each(function(p)
local content = p:get_content()
- if content and #content > 0 then
+ local clen = #content
+ if content and clen > 0 then
+ if opts.eicar_fake_pattern then
+ if type(opts.eicar_fake_pattern) == 'string' then
+ -- Convert it to Rspamd text
+ local rspamd_text = require "rspamd_text"
+ opts.eicar_fake_pattern = rspamd_text.fromstring(opts.eicar_fake_pattern)
+ end
+
+ if clen == #opts.eicar_fake_pattern and content == opts.eicar_fake_pattern then
+ rspamd_logger.infox(task, 'found eicar fake replacement part in the part (filename="%s")',
+ p:get_filename())
+ content = eicar_pattern
+ end
+ end
cfg.check(task, content, p:get_digest(), rule, p)
end
end, common.check_parts_match(task, rule))
More information about the Commits
mailing list