[Rspamd-Users] Doubt on Antivirus settings

Fri Nov 9 16:06:42 UTC 2018

Sanesecurity & Co will probably also detect threats in complete mails.
But you will store the digest of the complete mail.

When thinking about bad attachments and changing mail text, these will
not be recognized from cache, because the mails w/ changing texts will
have different digests.

If you only want to scan attachments and save these digests you will be
fine with

> scan_mime_parts = true;
> scan_text_mime = false;
> scan_image_mime = false;

Because many AVs will not detect threats in the text parts.

But when using Sanesecurity & Co you will detect bad attachments (e.g.
.exe) and also threats inside the text mime parts or even images
(SecuriteInfo sigs). So you maybe want to scan every single mime-part
separately. This is my use-case.

You are right - scan_mime_parts = false; will scan the mail only once,
with everything true it there will be a new scan for every mime part.

It's on you to decide the higher cpu usage and longer scan time is
working for you.

Carsten

On 09.11.18 16:44, Thomas Plant wrote:
> We do have installed the unofficial Signatures from Sanesecurity.
> 
> So, setting 'scan_mime_parts = false;' and having "ScanMail=yes' in
> Clamav Daemon would scan the entire mail and use the Sanesecurity
> Signatures.?
> 
> It is the same as setting:
> scan_mime_parts = true;
>     scan_text_mime = true;
>     scan_image_mime = true;
> 
> But not doing three calls to the clamav daemon? Or am i completely
> misguided?
> 
> 
> Am 09.11.2018 um 15:38 schrieb Carsten Rosenberg:
>> Every mail is being scanned, when there is no cached result.
>>
>> The only question is, will the complete mail or only parts (maybe
>> attachments like .exe, .docx, .iso)..
>>
>>
>> Set
>>
>> scan_mime_parts = false;
>>
>> or scan just non-text, non-image parts
>>
>>>> scan_mime_parts = true;
>>>> scan_text_mime = false;
>>>> scan_image_mime = false;
>> when you have a default ClamAV, Sophos or Avira. This setting would also
>> scan your .iso
>>
>>
>>
>> Currently the only benefit for enabling all options
>>
>>> scan_mime_parts = true;
>>> scan_text_mime = true;
>>> scan_image_mime = true;
>> is when you use additional unofficial ClamAV sigs like Sanesecurity or
>> SecuriteInfo
>>
>> Carsten
>>
>>
>>
>> On 09.11.18 15:31, Thomas Plant via Users wrote:
>>> Thanks, for the answer.
>>>
>>> So, for a better understanding, if I set:
>>>
>>> scan_mime_parts = true;
>>> scan_text_mime = true;
>>> scan_image_mime = true;
>>>
>>> also all incoming mails are scanned?
>>>
>>>
>>> Am 09.11.2018 um 15:12 schrieb Carsten Rosenberg:
>>>> With scan_mime_parts = false; you tell rspamd to scan the complete
>>>> mail.
>>>>
>>>> scan_text_mime = true; -> this setting is unused when scanning the
>>>> complete mail.
>>>>
>>>> -- 
>>>>
>>>> Some examples:
>>>>
>>>> scan_mime_parts = true;
>>>> scan_text_mime = false;
>>>> scan_image_mime = false;
>>>>
>>>> -> Scan mime parts separately, but so not scan Text or Image Parts.
>>>>
>>>> -- 
>>>>
>>>> scan_mime_parts = true;
>>>> scan_text_mime = true;
>>>> scan_image_mime = true;
>>>>
>>>> -> Scan mime parts separately and also scan Text and Image parts.
>>>>
>>>> -- 
>>>>
>>>> So your mail should have been scanned with your settings.
>>>>
>>>> Carsten
>>>>
>>>>
>>>> On 09.11.18 14:32, Thomas Plant via Users wrote:
>>>>> Hello,
>>>>>
>>>>> maybe it is because it's friday and my mind is a litte tired but I
>>>>> have
>>>>> a problem of understanding these settings:
>>>>>
>>>>>     scan_mime_parts = false;
>>>>>     scan_text_mime = true;
>>>>>
>>>>> made this way, will cause every mail to be scanned by the
>>>>> antivirus? Or
>>>>> do exist other criteria when to scan an incoming mail?
>>>>>
>>>>> This is because I had a mail with an '.iso' file attached which has
>>>>> not
>>>>> been scanned by the antivirus. And it did not match the max_size
>>>>> setting
>>>>> in AV-module, it was way less than the 10 Mbytes I had setted as a
>>>>> limit.
>>>>>
>>>>> Sincerely,
>>>>> Thomas
> 