[Rspamd-Users] Kaspersky as External Service

Carsten Rosenberg cr at ncxs.de
Wed Jul 24 12:06:27 UTC 2019


Hi,

currently we are only analyzing the ICAP Response headers, but not the
RESPMOD headers.

I have tried Kaspersky Web Traffic Security 6.0. This version had the
Following ICAP response headers:

  X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
  X-Response-Info: blocked

Maybe you can enable those somehow or there's another URL with more options.

--
Carsten

On 24.07.19 11:31, Rob Gunther wrote:
> I am trying to setup scanning against Kaspersky, as an external ICAP
> service.  Using RSPAMD v1.9.4
> 
> I can see RSPAMD is sending messages to the ICAP service and I can see
> Kaspersky scanning them.  Kaspersky IS identifying the messages as infected
> but the logs on RSPAMD always say the message was reported clean like this:
> 
> 2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
> kaspersky_icap (icap): message or mime_part is clean
> 
> What is RSPAMD looking for in the return?
> 
> I tested the connection to the ICAP service, from the RSPAMD server to
> simulate what may be going on, using an icap-client and here is what that
> returns when the same infected file is sent in:
> 
> ----------
> c-icap-client -v -i 192.168.60.128 -p 1344 -s av/reqmod -f /tmp/virus.eml
> -d 9
> ICAP server:192.168.60.128, ip:192.168.48.45, port:1344
> 
> Allocate a new entity of type 1
> Allocate a new entity of type 3
> Going to add 4 response headers
> Add resp header: HTTP/1.0 200 OK
> Add resp header: Date: Wed Jul 24 09:29:19 2019
> Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
> Add resp header: Content-Length: 18605
> Preview response was with status: 100
> Response was with status:200
> Get entity from trash....
> Get entity from trash....
> OK reading headers, going to read body
> <!DOCTYPE html>
> <html>
>     <head>
>         <meta charset="utf-8">
>         <title>Access Denied by Kaspersky Web Traffic Security</title>
>         <style rel="stylesheet" data-href="style.css">
>             html { font-family: sans-serif; font-size: 13px; min-height:
> 480px; min-width: 640px; }
>             body { margin: 0; text-align: center; }
>             .header { position: absolute; top: 0; left: 0; right: 0;
> height: 36px; line-height: 36px; vertical-align: middle; background-color:
> #d74747; color: #ffffff; }
>             .content-wrap { position: absolute; top: 36px; left: 0; right:
> 0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
>             .application { position: absolute; top: 0; height: 30%; left:
> 0; right: 0; }
>             .application h1 { position: absolute; bottom: 0; left: 0;
> right: 0; font-size: 19px; vertical-align: bottom; font-weight: normal; }
>             .content { position: absolute; height: 70%; bottom: 0; left: 0;
> right: 0; }
>             .text-macro a, .text-macro a:visited, .text-macro a:active {
> color: #006d5c; text-decoration: none; }
>             .description { position: absolute; top: 30%; left: 0; right: 0;
> }
>             .rule, .date { margin: 5px 0; }
>             .date { margin-bottom: 10px; }
>             .footer { color: #999999; position: absolute; bottom: 0; left:
> 0; right: 0; }
>         </style>
>     </head>
>     <body>
>         <div class="header">Access denied</div>
>         <div class="content-wrap">
>             <div class="application"><h1>Kaspersky Web Traffic
> Security</h1></div>
>             <div class="content"><div class="text-macro">
>     <p>The requested page cannot be provided</p>
>     <p>Address: <a></a></p>
>     <p class="description">The web resource is prohibited at the company.
> If you consider
>     the blocking to be mistaken or if you need to access this web resource,
>     contact the administrator of the local corporate network.</p>
> </div>
> 
> <div class="footer">
>     <p class="rule">Default Protection Rule</p>
>     <p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24 09:29:20)</p>
> </div>
> </div>
>         </div>
>     </body>
> </html>
> 
> ICAP HEADERS:
>         ICAP/1.0 200 OK
>         ISTag: "KWTS_2019-07-24_09"
>         Date: Wed, 24 Jul 2019 09:29:20 GMT
>         Server: KAV-ICAP-Server/8.0
>         X-ICAP-msg-id: x6O9TK185
>         Encapsulated: res-hdr=0, res-body=73
> 
> RESPMOD HEADERS:
>         HTTP/1.1 403 Forbidden
>         Content-Type: text/html
>         Content-Length: 2114
> 
> Done
> ----------
> 
> 
> So things seem to be working, but the reply that RSPAMD is getting is not
> something that it is identifying as an infection.
> 
> 
> Any ideas?
> 


More information about the Users mailing list