[Rspamd-Users] Doubt on Antivirus settings

Thu Nov 15 09:58:34 UTC 2018

There are several options for the savdi daemon. On the Sophos website
you can download several documents with the documentation.

Here attached is my current config. Maybe anyone has some time to figure
out which are really helpful in production.

Those options should also exist for savscan, because savdi is just a
wraopper.

Carsten

--

scanner {

        type: SAVI
        inprocess: YES
        maxscantime: 5
        maxrequesttime: 10

        # report file type
        #enabletft: "YES"

        #Some SAVI/Engine options

          # Any option that is part of a group is also included in this
group.
        savigrp: GrpSuper 1
          # All archive and compressed archive file formats (e.g. ZIP,
UUE, etc).
        savigrp: GrpArchiveUnpack 1
          # All “clean” file formats.
        savigrp: GrpClean 1
          # Executable files.
        savigrp: GrpExecutable 1
          # File formats commonly in use on the internet.
        savigrp: GrpInternet 1
          # File formats that do not fall into any of the above categories.
        savigrp: GrpMisc 1
          # Office suite file formats from Microsfoft and other
supported vendors.
        savigrp: GrpMSOffice 1
          # File formats that contain an executable stub that
          # automatically decompresses the body of the file.
        savigrp: GrpSelfExtract 1
          # Compression formats commonly used in HTTP and supported by
web browsers.
        savigrp: GrpWebArchive 1
          # HTML encoding schemes commonly used in web pages.
        savigrp: GrpWebEncoding 1
          # Enables or disables disinfection of all files for which
disinfection is supported.
        savigrp: GrpDisinfect 0

        savists: ProductCLI 1
        savists: ProductDesktop 1
        savists: ProductGateway 1
        savists: ProductMobile 1
        savists: ProductUnspecified 1
        savists: ProductWeb 1
        savists: Base64 1
        savists: Bzip2 1
        savists: EnableAutoStop 1
        savists: ITSS 1
        #savists: Mime 1
        savists: MSCabinet 1
        savists: MSCompress 1
        savists: Msi 1
        savists: StrictPdf 1
        savists: StrongPdf 1
        savists: Xml 1
        savists: TnefAttachmentHandling 1
        savists: TnefEmbedHandling 1
        #savists: TrueFileTypeDetection 1
        savists: GzipDecompression 1
        savists: TarDecompression 1
        savists: RarDecompression 1
        savists: ArjDecompression 1
        savists: ZipDecompression 1
}

On 15.11.18 10:33, Rob Gunther wrote:
> Today I conducted a few more tests.
> 
> If I add the three preferences to the Sophos configuration:
> 
> scan_mime_parts = true;
> scan_text_mime = false;
> scan_image_mime = false;
> 
> The system WILL be able to detect a large number of messages.
> 
> I suspect that Sophos is supposed to be decoding the attachments, as it can
> extract PDF documents and scan them successfully from a raw message.
> 
> Having RSPAMD extract the mime parts and send them in individually,
> Sophos does perform better.
> 
> I even found some sample viruses that when uploaded in the raw message
> format to VirusTotal, Sophos can't detect the infections.  Seems to me
> Sophos has a serious problem with their detection.
> 
> Hopefully, this information will help RSPAMD users who are scanning with
> Sophos, even though your system may be catching some messages it would be
> catching more if you have RSPAMD submit the mime parts.