[Rspamd-Users] Doubt on Antivirus settings

Wed Nov 14 07:43:46 UTC 2018

This is a very interesting conversation, as I am working on an issue with
Sophos right now.

In my antivirus.conf, I have not included any scan_mime_parts,
scan_text_mime, scan_image_mime at all.  So according to the docs it is
just sending the entire message to Sophos for scanning.

This is where a problem comes in.

I have noticed that when feeding a raw message to Sophos (via SSSP), the
scanning results are not very good.

It will detect viruses in messages if they are in an attached .PDF
documents and it will find viruses in attached .HTML documents.

However, it does not detect viruses in .doc files.

If I take an email file with an attachment that is a .doc with a virus in
it, pass it through RSPAMD it will not be detected.  Even if I put the
email file on disk and request Sophos to scan it using their
on-demand scanner (savscan) it will not find it.

I must extract the .doc file from the message, then have Sophos scan it and
the virus will be found.

On Sat, Nov 10, 2018 at 12:14 AM Carsten Rosenberg <cr at ncxs.de> wrote:

> Sanesecurity & Co will probably also detect threats in complete mails.
> But you will store the digest of the complete mail.
>
> When thinking about bad attachments and changing mail text, these will
> not be recognized from cache, because the mails w/ changing texts will
> have different digests.
>
> If you only want to scan attachments and save these digests you will be
> fine with
>
> > scan_mime_parts = true;
> > scan_text_mime = false;
> > scan_image_mime = false;
>
> Because many AVs will not detect threats in the text parts.
>
> But when using Sanesecurity & Co you will detect bad attachments (e.g.
> .exe) and also threats inside the text mime parts or even images
> (SecuriteInfo sigs). So you maybe want to scan every single mime-part
> separately. This is my use-case.
>
> You are right - scan_mime_parts = false; will scan the mail only once,
> with everything true it there will be a new scan for every mime part.
>
> It's on you to decide the higher cpu usage and longer scan time is
> working for you.
>
> Carsten
>
> On 09.11.18 16:44, Thomas Plant wrote:
> > We do have installed the unofficial Signatures from Sanesecurity.
> >
> > So, setting 'scan_mime_parts = false;' and having "ScanMail=yes' in
> > Clamav Daemon would scan the entire mail and use the Sanesecurity
> > Signatures.?
> >
> > It is the same as setting:
> > scan_mime_parts = true;
> >     scan_text_mime = true;
> >     scan_image_mime = true;
> >
> > But not doing three calls to the clamav daemon? Or am i completely
> > misguided?
> >
> >
> > Am 09.11.2018 um 15:38 schrieb Carsten Rosenberg:
> >> Every mail is being scanned, when there is no cached result.
> >>
> >> The only question is, will the complete mail or only parts (maybe
> >> attachments like .exe, .docx, .iso)..
> >>
> >>
> >> Set
> >>
> >> scan_mime_parts = false;
> >>
> >> or scan just non-text, non-image parts
> >>
> >>>> scan_mime_parts = true;
> >>>> scan_text_mime = false;
> >>>> scan_image_mime = false;
> >> when you have a default ClamAV, Sophos or Avira. This setting would also
> >> scan your .iso
> >>
> >>
> >>
> >> Currently the only benefit for enabling all options
> >>
> >>> scan_mime_parts = true;
> >>> scan_text_mime = true;
> >>> scan_image_mime = true;
> >> is when you use additional unofficial ClamAV sigs like Sanesecurity or
> >> SecuriteInfo
> >>
> >> Carsten
> >>
> >>
> >>
> >> On 09.11.18 15:31, Thomas Plant via Users wrote:
> >>> Thanks, for the answer.
> >>>
> >>> So, for a better understanding, if I set:
> >>>
> >>> scan_mime_parts = true;
> >>> scan_text_mime = true;
> >>> scan_image_mime = true;
> >>>
> >>> also all incoming mails are scanned?
> >>>
> >>>
> >>> Am 09.11.2018 um 15:12 schrieb Carsten Rosenberg:
> >>>> With scan_mime_parts = false; you tell rspamd to scan the complete
> >>>> mail.
> >>>>
> >>>> scan_text_mime = true; -> this setting is unused when scanning the
> >>>> complete mail.
> >>>>
> >>>> --
> >>>>
> >>>> Some examples:
> >>>>
> >>>> scan_mime_parts = true;
> >>>> scan_text_mime = false;
> >>>> scan_image_mime = false;
> >>>>
> >>>> -> Scan mime parts separately, but so not scan Text or Image Parts.
> >>>>
> >>>> --
> >>>>
> >>>> scan_mime_parts = true;
> >>>> scan_text_mime = true;
> >>>> scan_image_mime = true;
> >>>>
> >>>> -> Scan mime parts separately and also scan Text and Image parts.
> >>>>
> >>>> --
> >>>>
> >>>> So your mail should have been scanned with your settings.
> >>>>
> >>>> Carsten
> >>>>
> >>>>
> >>>> On 09.11.18 14:32, Thomas Plant via Users wrote:
> >>>>> Hello,
> >>>>>
> >>>>> maybe it is because it's friday and my mind is a litte tired but I
> >>>>> have
> >>>>> a problem of understanding these settings:
> >>>>>
> >>>>>     scan_mime_parts = false;
> >>>>>     scan_text_mime = true;
> >>>>>
> >>>>> made this way, will cause every mail to be scanned by the
> >>>>> antivirus? Or
> >>>>> do exist other criteria when to scan an incoming mail?
> >>>>>
> >>>>> This is because I had a mail with an '.iso' file attached which has
> >>>>> not
> >>>>> been scanned by the antivirus. And it did not match the max_size
> >>>>> setting
> >>>>> in AV-module, it was way less than the 10 Mbytes I had setted as a
> >>>>> limit.
> >>>>>
> >>>>> Sincerely,
> >>>>> Thomas
> >
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>