[Rspamd-Users] Kaspersky as External Service
Rob Gunther
redrob at gmail.com
Sat Jul 27 16:52:12 UTC 2019
Carsten, what platform was your test install of Kaspersky Web Traffic
Security 6.0 on? I can't find any way to enable those headers. I even
checked with Kaspersky support who claim it is not possible.
On Wed, Jul 24, 2019 at 8:16 PM Carsten Rosenberg <cr at ncxs.de> wrote:
> Hi,
>
> currently we are only analyzing the ICAP Response headers, but not the
> RESPMOD headers.
>
> I have tried Kaspersky Web Traffic Security 6.0. This version had the
> Following ICAP response headers:
>
> X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
> X-Response-Info: blocked
>
> Maybe you can enable those somehow or there's another URL with more
> options.
>
> --
> Carsten
>
> On 24.07.19 11:31, Rob Gunther wrote:
> > I am trying to setup scanning against Kaspersky, as an external ICAP
> > service. Using RSPAMD v1.9.4
> >
> > I can see RSPAMD is sending messages to the ICAP service and I can see
> > Kaspersky scanning them. Kaspersky IS identifying the messages as
> infected
> > but the logs on RSPAMD always say the message was reported clean like
> this:
> >
> > 2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
> > kaspersky_icap (icap): message or mime_part is clean
> >
> > What is RSPAMD looking for in the return?
> >
> > I tested the connection to the ICAP service, from the RSPAMD server to
> > simulate what may be going on, using an icap-client and here is what that
> > returns when the same infected file is sent in:
> >
> > ----------
> > c-icap-client -v -i 192.168.60.128 -p 1344 -s av/reqmod -f /tmp/virus.eml
> > -d 9
> > ICAP server:192.168.60.128, ip:192.168.48.45, port:1344
> >
> > Allocate a new entity of type 1
> > Allocate a new entity of type 3
> > Going to add 4 response headers
> > Add resp header: HTTP/1.0 200 OK
> > Add resp header: Date: Wed Jul 24 09:29:19 2019
> > Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
> > Add resp header: Content-Length: 18605
> > Preview response was with status: 100
> > Response was with status:200
> > Get entity from trash....
> > Get entity from trash....
> > OK reading headers, going to read body
> > <!DOCTYPE html>
> > <html>
> > <head>
> > <meta charset="utf-8">
> > <title>Access Denied by Kaspersky Web Traffic Security</title>
> > <style rel="stylesheet" data-href="style.css">
> > html { font-family: sans-serif; font-size: 13px; min-height:
> > 480px; min-width: 640px; }
> > body { margin: 0; text-align: center; }
> > .header { position: absolute; top: 0; left: 0; right: 0;
> > height: 36px; line-height: 36px; vertical-align: middle;
> background-color:
> > #d74747; color: #ffffff; }
> > .content-wrap { position: absolute; top: 36px; left: 0;
> right:
> > 0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
> > .application { position: absolute; top: 0; height: 30%; left:
> > 0; right: 0; }
> > .application h1 { position: absolute; bottom: 0; left: 0;
> > right: 0; font-size: 19px; vertical-align: bottom; font-weight: normal; }
> > .content { position: absolute; height: 70%; bottom: 0; left:
> 0;
> > right: 0; }
> > .text-macro a, .text-macro a:visited, .text-macro a:active {
> > color: #006d5c; text-decoration: none; }
> > .description { position: absolute; top: 30%; left: 0; right:
> 0;
> > }
> > .rule, .date { margin: 5px 0; }
> > .date { margin-bottom: 10px; }
> > .footer { color: #999999; position: absolute; bottom: 0;
> left:
> > 0; right: 0; }
> > </style>
> > </head>
> > <body>
> > <div class="header">Access denied</div>
> > <div class="content-wrap">
> > <div class="application"><h1>Kaspersky Web Traffic
> > Security</h1></div>
> > <div class="content"><div class="text-macro">
> > <p>The requested page cannot be provided</p>
> > <p>Address: <a></a></p>
> > <p class="description">The web resource is prohibited at the company.
> > If you consider
> > the blocking to be mistaken or if you need to access this web
> resource,
> > contact the administrator of the local corporate network.</p>
> > </div>
> >
> > <div class="footer">
> > <p class="rule">Default Protection Rule</p>
> > <p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24 09:29:20)</p>
> > </div>
> > </div>
> > </div>
> > </body>
> > </html>
> >
> > ICAP HEADERS:
> > ICAP/1.0 200 OK
> > ISTag: "KWTS_2019-07-24_09"
> > Date: Wed, 24 Jul 2019 09:29:20 GMT
> > Server: KAV-ICAP-Server/8.0
> > X-ICAP-msg-id: x6O9TK185
> > Encapsulated: res-hdr=0, res-body=73
> >
> > RESPMOD HEADERS:
> > HTTP/1.1 403 Forbidden
> > Content-Type: text/html
> > Content-Length: 2114
> >
> > Done
> > ----------
> >
> >
> > So things seem to be working, but the reply that RSPAMD is getting is not
> > something that it is identifying as an infection.
> >
> >
> > Any ideas?
> >
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>
More information about the Users
mailing list