[Rspamd-Users] Doubt on Antivirus settings

Thomas Plant thomas at plant.systems
Wed Nov 14 08:29:31 UTC 2018 

Hello,

seems to me that Sophos does not decode the email by itself as p.e. 
Clamav does.
But I think setting 'antivirus.conf' as Mr. Rosenberg in the previous 
post wrote, to

scan_mime_parts = true;
scan_text_mime = false;
scan_image_mime = false;

Should decode the attachment and pass it to your Sophos for scanning....

Greetings,
Thomas

Am 14.11.2018 um 08:43 schrieb Rob Gunther:
> This is a very interesting conversation, as I am working on an issue with
> Sophos right now.
>
> In my antivirus.conf, I have not included any scan_mime_parts,
> scan_text_mime, scan_image_mime at all.  So according to the docs it is
> just sending the entire message to Sophos for scanning.
>
> This is where a problem comes in.
>
> I have noticed that when feeding a raw message to Sophos (via SSSP), the
> scanning results are not very good.
>
> It will detect viruses in messages if they are in an attached .PDF
> documents and it will find viruses in attached .HTML documents.
>
> However, it does not detect viruses in .doc files.
>
> If I take an email file with an attachment that is a .doc with a virus in
> it, pass it through RSPAMD it will not be detected.  Even if I put the
> email file on disk and request Sophos to scan it using their
> on-demand scanner (savscan) it will not find it.
>
> I must extract the .doc file from the message, then have Sophos scan it and
> the virus will be found.
>
>
>
>
>
> On Sat, Nov 10, 2018 at 12:14 AM Carsten Rosenberg <cr at ncxs.de> wrote:
>
>> Sanesecurity & Co will probably also detect threats in complete mails.
>> But you will store the digest of the complete mail.
>>
>> When thinking about bad attachments and changing mail text, these will
>> not be recognized from cache, because the mails w/ changing texts will
>> have different digests.
>>
>> If you only want to scan attachments and save these digests you will be
>> fine with
>>
>>> scan_mime_parts = true;
>>> scan_text_mime = false;
>>> scan_image_mime = false;
>> Because many AVs will not detect threats in the text parts.
>>
>> But when using Sanesecurity & Co you will detect bad attachments (e.g.
>> .exe) and also threats inside the text mime parts or even images
>> (SecuriteInfo sigs). So you maybe want to scan every single mime-part
>> separately. This is my use-case.
>>
>> You are right - scan_mime_parts = false; will scan the mail only once,
>> with everything true it there will be a new scan for every mime part.
>>
>> It's on you to decide the higher cpu usage and longer scan time is
>> working for you.
>>
>> Carsten
>>
>> On 09.11.18 16:44, Thomas Plant wrote:
>>> We do have installed the unofficial Signatures from Sanesecurity.
>>>
>>> So, setting 'scan_mime_parts = false;' and having "ScanMail=yes' in
>>> Clamav Daemon would scan the entire mail and use the Sanesecurity
>>> Signatures.?
>>>
>>> It is the same as setting:
>>> scan_mime_parts = true;
>>>      scan_text_mime = true;
>>>      scan_image_mime = true;
>>>
>>> But not doing three calls to the clamav daemon? Or am i completely
>>> misguided?
>>>
>>>
>>> Am 09.11.2018 um 15:38 schrieb Carsten Rosenberg:
>>>> Every mail is being scanned, when there is no cached result.
>>>>
>>>> The only question is, will the complete mail or only parts (maybe
>>>> attachments like .exe, .docx, .iso)..
>>>>
>>>>
>>>> Set
>>>>
>>>> scan_mime_parts = false;
>>>>
>>>> or scan just non-text, non-image parts
>>>>
>>>>>> scan_mime_parts = true;
>>>>>> scan_text_mime = false;
>>>>>> scan_image_mime = false;
>>>> when you have a default ClamAV, Sophos or Avira. This setting would also
>>>> scan your .iso
>>>>
>>>>
>>>>
>>>> Currently the only benefit for enabling all options
>>>>
>>>>> scan_mime_parts = true;
>>>>> scan_text_mime = true;
>>>>> scan_image_mime = true;
>>>> is when you use additional unofficial ClamAV sigs like Sanesecurity or
>>>> SecuriteInfo
>>>>
>>>> Carsten
>>>>
>>>>
>>>>
>>>> On 09.11.18 15:31, Thomas Plant via Users wrote:
>>>>> Thanks, for the answer.
>>>>>
>>>>> So, for a better understanding, if I set:
>>>>>
>>>>> scan_mime_parts = true;
>>>>> scan_text_mime = true;
>>>>> scan_image_mime = true;
>>>>>
>>>>> also all incoming mails are scanned?
>>>>>
>>>>>
>>>>> Am 09.11.2018 um 15:12 schrieb Carsten Rosenberg:
>>>>>> With scan_mime_parts = false; you tell rspamd to scan the complete
>>>>>> mail.
>>>>>>
>>>>>> scan_text_mime = true; -> this setting is unused when scanning the
>>>>>> complete mail.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Some examples:
>>>>>>
>>>>>> scan_mime_parts = true;
>>>>>> scan_text_mime = false;
>>>>>> scan_image_mime = false;
>>>>>>
>>>>>> -> Scan mime parts separately, but so not scan Text or Image Parts.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> scan_mime_parts = true;
>>>>>> scan_text_mime = true;
>>>>>> scan_image_mime = true;
>>>>>>
>>>>>> -> Scan mime parts separately and also scan Text and Image parts.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> So your mail should have been scanned with your settings.
>>>>>>
>>>>>> Carsten
>>>>>>
>>>>>>
>>>>>> On 09.11.18 14:32, Thomas Plant via Users wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> maybe it is because it's friday and my mind is a litte tired but I
>>>>>>> have
>>>>>>> a problem of understanding these settings:
>>>>>>>
>>>>>>>      scan_mime_parts = false;
>>>>>>>      scan_text_mime = true;
>>>>>>>
>>>>>>> made this way, will cause every mail to be scanned by the
>>>>>>> antivirus? Or
>>>>>>> do exist other criteria when to scan an incoming mail?
>>>>>>>
>>>>>>> This is because I had a mail with an '.iso' file attached which has
>>>>>>> not
>>>>>>> been scanned by the antivirus. And it did not match the max_size
>>>>>>> setting
>>>>>>> in AV-module, it was way less than the 10 Mbytes I had setted as a
>>>>>>> limit.
>>>>>>>
>>>>>>> Sincerely,
>>>>>>> Thomas
>> --
>> Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users
>>

More information about the Users mailing list