[Rspamd-Users] Kaspersky as External Service

Rob Gunther redrob at gmail.com
Wed Jul 24 12:51:17 UTC 2019 

I am using Kaspersky Web Traffic Security 6, which from what I can tell is
the only product that supports ICAP.

Carsten's comments were interesting.

I started digging around and found that the old version 5.5 had a config
file with the following option, but I can't find that for version 6
anywhere yet.

#
#  If set, then the following information is added into ICAP response:
#  X-Virus-ID,X-Response-Info
#
SendAVScanResult=true


On Wed, Jul 24, 2019 at 8:43 PM Durga Prasad Malyala <dp.malyala at gmail.com>
wrote:

> On Wed, Jul 24, 2019, 15:21 Rob Gunther <redrob at gmail.com> wrote:
>
> > I am trying to setup scanning against Kaspersky, as an external ICAP
> > service.  Using RSPAMD v1.9.4
> >
> > I can see RSPAMD is sending messages to the ICAP service and I can see
> > Kaspersky scanning them.  Kaspersky IS identifying the messages as
> infected
> > but the logs on RSPAMD always say the message was reported clean like
> this:
> >
> > 2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
> > kaspersky_icap (icap): message or mime_part is clean
> >
> > What is RSPAMD looking for in the return?
> >
> > I tested the connection to the ICAP service, from the RSPAMD server to
> > simulate what may be going on, using an icap-client and here is what that
> > returns when the same infected file is sent in:
> >
> > ----------
> > c-icap-client -v -i 192.168.60.128 -p 1344 -s av/reqmod -f /tmp/virus.eml
> > -d 9
> > ICAP server:192.168.60.128, ip:192.168.48.45, port:1344
> >
> > Allocate a new entity of type 1
> > Allocate a new entity of type 3
> > Going to add 4 response headers
> > Add resp header: HTTP/1.0 200 OK
> > Add resp header: Date: Wed Jul 24 09:29:19 2019
> > Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
> > Add resp header: Content-Length: 18605
> > Preview response was with status: 100
> > Response was with status:200
> > Get entity from trash....
> > Get entity from trash....
> > OK reading headers, going to read body
> > <!DOCTYPE html>
> > <html>
> >     <head>
> >         <meta charset="utf-8">
> >         <title>Access Denied by Kaspersky Web Traffic Security</title>
> >         <style rel="stylesheet" data-href="style.css">
> >             html { font-family: sans-serif; font-size: 13px; min-height:
> > 480px; min-width: 640px; }
> >             body { margin: 0; text-align: center; }
> >             .header { position: absolute; top: 0; left: 0; right: 0;
> > height: 36px; line-height: 36px; vertical-align: middle;
> background-color:
> > #d74747; color: #ffffff; }
> >             .content-wrap { position: absolute; top: 36px; left: 0;
> right:
> > 0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
> >             .application { position: absolute; top: 0; height: 30%; left:
> > 0; right: 0; }
> >             .application h1 { position: absolute; bottom: 0; left: 0;
> > right: 0; font-size: 19px; vertical-align: bottom; font-weight: normal; }
> >             .content { position: absolute; height: 70%; bottom: 0; left:
> 0;
> > right: 0; }
> >             .text-macro a, .text-macro a:visited, .text-macro a:active {
> > color: #006d5c; text-decoration: none; }
> >             .description { position: absolute; top: 30%; left: 0; right:
> 0;
> > }
> >             .rule, .date { margin: 5px 0; }
> >             .date { margin-bottom: 10px; }
> >             .footer { color: #999999; position: absolute; bottom: 0;
> left:
> > 0; right: 0; }
> >         </style>
> >     </head>
> >     <body>
> >         <div class="header">Access denied</div>
> >         <div class="content-wrap">
> >             <div class="application"><h1>Kaspersky Web Traffic
> > Security</h1></div>
> >             <div class="content"><div class="text-macro">
> >     <p>The requested page cannot be provided</p>
> >     <p>Address: <a></a></p>
> >     <p class="description">The web resource is prohibited at the company.
> > If you consider
> >     the blocking to be mistaken or if you need to access this web
> resource,
> >     contact the administrator of the local corporate network.</p>
> > </div>
> >
> > <div class="footer">
> >     <p class="rule">Default Protection Rule</p>
> >     <p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24 09:29:20)</p>
> > </div>
> > </div>
> >         </div>
> >     </body>
> > </html>
> >
> > ICAP HEADERS:
> >         ICAP/1.0 200 OK
> >         ISTag: "KWTS_2019-07-24_09"
> >         Date: Wed, 24 Jul 2019 09:29:20 GMT
> >         Server: KAV-ICAP-Server/8.0
> >         X-ICAP-msg-id: x6O9TK185
> >         Encapsulated: res-hdr=0, res-body=73
> >
> > RESPMOD HEADERS:
> >         HTTP/1.1 403 Forbidden
> >         Content-Type: text/html
> >         Content-Length: 2114
> >
> > Done
> > ----------
> >
> >
> > So things seem to be working, but the reply that RSPAMD is getting is not
> > something that it is identifying as an infection.
> >
> >
> > Any ideas?
> > --
> > Users mailing list
> > Users at lists.rspamd.com
> > https://lists.rspamd.com/mailman/listinfo/users
>
>
> Hi,
> Which product and  version of Kaspersky are you using?
> DP
>
> >
> >
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

More information about the Users mailing list