[Rspamd-Users] Kaspersky as External Service
Rob Gunther
redrob at gmail.com
Wed Jul 24 09:31:53 UTC 2019
I am trying to setup scanning against Kaspersky, as an external ICAP
service. Using RSPAMD v1.9.4
I can see RSPAMD is sending messages to the ICAP service and I can see
Kaspersky scanning them. Kaspersky IS identifying the messages as infected
but the logs on RSPAMD always say the message was reported clean like this:
2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
kaspersky_icap (icap): message or mime_part is clean
What is RSPAMD looking for in the return?
I tested the connection to the ICAP service, from the RSPAMD server to
simulate what may be going on, using an icap-client and here is what that
returns when the same infected file is sent in:
----------
c-icap-client -v -i 192.168.60.128 -p 1344 -s av/reqmod -f /tmp/virus.eml
-d 9
ICAP server:192.168.60.128, ip:192.168.48.45, port:1344
Allocate a new entity of type 1
Allocate a new entity of type 3
Going to add 4 response headers
Add resp header: HTTP/1.0 200 OK
Add resp header: Date: Wed Jul 24 09:29:19 2019
Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
Add resp header: Content-Length: 18605
Preview response was with status: 100
Response was with status:200
Get entity from trash....
Get entity from trash....
OK reading headers, going to read body
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Access Denied by Kaspersky Web Traffic Security</title>
<style rel="stylesheet" data-href="style.css">
html { font-family: sans-serif; font-size: 13px; min-height:
480px; min-width: 640px; }
body { margin: 0; text-align: center; }
.header { position: absolute; top: 0; left: 0; right: 0;
height: 36px; line-height: 36px; vertical-align: middle; background-color:
#d74747; color: #ffffff; }
.content-wrap { position: absolute; top: 36px; left: 0; right:
0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
.application { position: absolute; top: 0; height: 30%; left:
0; right: 0; }
.application h1 { position: absolute; bottom: 0; left: 0;
right: 0; font-size: 19px; vertical-align: bottom; font-weight: normal; }
.content { position: absolute; height: 70%; bottom: 0; left: 0;
right: 0; }
.text-macro a, .text-macro a:visited, .text-macro a:active {
color: #006d5c; text-decoration: none; }
.description { position: absolute; top: 30%; left: 0; right: 0;
}
.rule, .date { margin: 5px 0; }
.date { margin-bottom: 10px; }
.footer { color: #999999; position: absolute; bottom: 0; left:
0; right: 0; }
</style>
</head>
<body>
<div class="header">Access denied</div>
<div class="content-wrap">
<div class="application"><h1>Kaspersky Web Traffic
Security</h1></div>
<div class="content"><div class="text-macro">
<p>The requested page cannot be provided</p>
<p>Address: <a></a></p>
<p class="description">The web resource is prohibited at the company.
If you consider
the blocking to be mistaken or if you need to access this web resource,
contact the administrator of the local corporate network.</p>
</div>
<div class="footer">
<p class="rule">Default Protection Rule</p>
<p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24 09:29:20)</p>
</div>
</div>
</div>
</body>
</html>
ICAP HEADERS:
ICAP/1.0 200 OK
ISTag: "KWTS_2019-07-24_09"
Date: Wed, 24 Jul 2019 09:29:20 GMT
Server: KAV-ICAP-Server/8.0
X-ICAP-msg-id: x6O9TK185
Encapsulated: res-hdr=0, res-body=73
RESPMOD HEADERS:
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 2114
Done
----------
So things seem to be working, but the reply that RSPAMD is getting is not
something that it is identifying as an infection.
Any ideas?
More information about the Users
mailing list