[Rspamd-Users] Doubt on Antivirus settings

Rob Gunther redrob at gmail.com
Thu Nov 15 09:33:15 UTC 2018 

Today I conducted a few more tests.

If I add the three preferences to the Sophos configuration:

scan_mime_parts = true;
scan_text_mime = false;
scan_image_mime = false;

The system WILL be able to detect a large number of messages.

I suspect that Sophos is supposed to be decoding the attachments, as it can
extract PDF documents and scan them successfully from a raw message.

Having RSPAMD extract the mime parts and send them in individually,
Sophos does perform better.

I even found some sample viruses that when uploaded in the raw message
format to VirusTotal, Sophos can't detect the infections.  Seems to me
Sophos has a serious problem with their detection.

Hopefully, this information will help RSPAMD users who are scanning with
Sophos, even though your system may be catching some messages it would be
catching more if you have RSPAMD submit the mime parts.



On Wed, Nov 14, 2018 at 4:29 PM Thomas Plant via Users <
users at lists.rspamd.com> wrote:

> Hello,
>
> seems to me that Sophos does not decode the email by itself as p.e.
> Clamav does.
> But I think setting 'antivirus.conf' as Mr. Rosenberg in the previous
> post wrote, to
>
> scan_mime_parts = true;
> scan_text_mime = false;
> scan_image_mime = false;
>
> Should decode the attachment and pass it to your Sophos for scanning....
>
> Greetings,
> Thomas
>
> Am 14.11.2018 um 08:43 schrieb Rob Gunther:
> > This is a very interesting conversation, as I am working on an issue with
> > Sophos right now.
> >
> > In my antivirus.conf, I have not included any scan_mime_parts,
> > scan_text_mime, scan_image_mime at all.  So according to the docs it is
> > just sending the entire message to Sophos for scanning.
> >
> > This is where a problem comes in.
> >
> > I have noticed that when feeding a raw message to Sophos (via SSSP), the
> > scanning results are not very good.
> >
> > It will detect viruses in messages if they are in an attached .PDF
> > documents and it will find viruses in attached .HTML documents.
> >
> > However, it does not detect viruses in .doc files.
> >
> > If I take an email file with an attachment that is a .doc with a virus in
> > it, pass it through RSPAMD it will not be detected.  Even if I put the
> > email file on disk and request Sophos to scan it using their
> > on-demand scanner (savscan) it will not find it.
> >
> > I must extract the .doc file from the message, then have Sophos scan it
> and
> > the virus will be found.
> >
> >
> >
> >
> >
> > On Sat, Nov 10, 2018 at 12:14 AM Carsten Rosenberg <cr at ncxs.de> wrote:
> >
> >> Sanesecurity & Co will probably also detect threats in complete mails.
> >> But you will store the digest of the complete mail.
> >>
> >> When thinking about bad attachments and changing mail text, these will
> >> not be recognized from cache, because the mails w/ changing texts will
> >> have different digests.
> >>
> >> If you only want to scan attachments and save these digests you will be
> >> fine with
> >>
> >>> scan_mime_parts = true;
> >>> scan_text_mime = false;
> >>> scan_image_mime = false;
> >> Because many AVs will not detect threats in the text parts.
> >>
> >> But when using Sanesecurity & Co you will detect bad attachments (e.g.
> >> .exe) and also threats inside the text mime parts or even images
> >> (SecuriteInfo sigs). So you maybe want to scan every single mime-part
> >> separately. This is my use-case.
> >>
> >> You are right - scan_mime_parts = false; will scan the mail only once,
> >> with everything true it there will be a new scan for every mime part.
> >>
> >> It's on you to decide the higher cpu usage and longer scan time is
> >> working for you.
> >>
> >> Carsten
> >>
> >> On 09.11.18 16:44, Thomas Plant wrote:
> >>> We do have installed the unofficial Signatures from Sanesecurity.
> >>>
> >>> So, setting 'scan_mime_parts = false;' and having "ScanMail=yes' in
> >>> Clamav Daemon would scan the entire mail and use the Sanesecurity
> >>> Signatures.?
> >>>
> >>> It is the same as setting:
> >>> scan_mime_parts = true;
> >>>      scan_text_mime = true;
> >>>      scan_image_mime = true;
> >>>
> >>> But not doing three calls to the clamav daemon? Or am i completely
> >>> misguided?
> >>>
> >>>
> >>> Am 09.11.2018 um 15:38 schrieb Carsten Rosenberg:
> >>>> Every mail is being scanned, when there is no cached result.
> >>>>
> >>>> The only question is, will the complete mail or only parts (maybe
> >>>> attachments like .exe, .docx, .iso)..
> >>>>
> >>>>
> >>>> Set
> >>>>
> >>>> scan_mime_parts = false;
> >>>>
> >>>> or scan just non-text, non-image parts
> >>>>
> >>>>>> scan_mime_parts = true;
> >>>>>> scan_text_mime = false;
> >>>>>> scan_image_mime = false;
> >>>> when you have a default ClamAV, Sophos or Avira. This setting would
> also
> >>>> scan your .iso
> >>>>
> >>>>
> >>>>
> >>>> Currently the only benefit for enabling all options
> >>>>
> >>>>> scan_mime_parts = true;
> >>>>> scan_text_mime = true;
> >>>>> scan_image_mime = true;
> >>>> is when you use additional unofficial ClamAV sigs like Sanesecurity or
> >>>> SecuriteInfo
> >>>>
> >>>> Carsten
> >>>>
> >>>>
> >>>>
> >>>> On 09.11.18 15:31, Thomas Plant via Users wrote:
> >>>>> Thanks, for the answer.
> >>>>>
> >>>>> So, for a better understanding, if I set:
> >>>>>
> >>>>> scan_mime_parts = true;
> >>>>> scan_text_mime = true;
> >>>>> scan_image_mime = true;
> >>>>>
> >>>>> also all incoming mails are scanned?
> >>>>>
> >>>>>
> >>>>> Am 09.11.2018 um 15:12 schrieb Carsten Rosenberg:
> >>>>>> With scan_mime_parts = false; you tell rspamd to scan the complete
> >>>>>> mail.
> >>>>>>
> >>>>>> scan_text_mime = true; -> this setting is unused when scanning the
> >>>>>> complete mail.
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Some examples:
> >>>>>>
> >>>>>> scan_mime_parts = true;
> >>>>>> scan_text_mime = false;
> >>>>>> scan_image_mime = false;
> >>>>>>
> >>>>>> -> Scan mime parts separately, but so not scan Text or Image Parts.
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> scan_mime_parts = true;
> >>>>>> scan_text_mime = true;
> >>>>>> scan_image_mime = true;
> >>>>>>
> >>>>>> -> Scan mime parts separately and also scan Text and Image parts.
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> So your mail should have been scanned with your settings.
> >>>>>>
> >>>>>> Carsten
> >>>>>>
> >>>>>>
> >>>>>> On 09.11.18 14:32, Thomas Plant via Users wrote:
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> maybe it is because it's friday and my mind is a litte tired but I
> >>>>>>> have
> >>>>>>> a problem of understanding these settings:
> >>>>>>>
> >>>>>>>      scan_mime_parts = false;
> >>>>>>>      scan_text_mime = true;
> >>>>>>>
> >>>>>>> made this way, will cause every mail to be scanned by the
> >>>>>>> antivirus? Or
> >>>>>>> do exist other criteria when to scan an incoming mail?
> >>>>>>>
> >>>>>>> This is because I had a mail with an '.iso' file attached which has
> >>>>>>> not
> >>>>>>> been scanned by the antivirus. And it did not match the max_size
> >>>>>>> setting
> >>>>>>> in AV-module, it was way less than the 10 Mbytes I had setted as a
> >>>>>>> limit.
> >>>>>>>
> >>>>>>> Sincerely,
> >>>>>>> Thomas
> >> --
> >> Users mailing list
> >> Users at lists.rspamd.com
> >> https://lists.rspamd.com/mailman/listinfo/users
> >>
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

More information about the Users mailing list