[Rspamd-Users] Kaspersky as External Service

Carsten Rosenberg cr at ncxs.de
Sun Jul 28 19:17:01 UTC 2019 

I had a trial of their latest Web Security as mentioned in the docs.

I'm currently on vacation, but will check this installation afterwards.

Carsten. 

Am 27. Juli 2019 18:52:12 MESZ schrieb Rob Gunther <redrob at gmail.com>:
>Carsten, what platform was your test install of Kaspersky Web Traffic
>Security 6.0 on?  I can't find any way to enable those headers.  I even
>checked with Kaspersky support who claim it is not possible.
>
>On Wed, Jul 24, 2019 at 8:16 PM Carsten Rosenberg <cr at ncxs.de> wrote:
>
>> Hi,
>>
>> currently we are only analyzing the ICAP Response headers, but not
>the
>> RESPMOD headers.
>>
>> I have tried Kaspersky Web Traffic Security 6.0. This version had the
>> Following ICAP response headers:
>>
>>   X-Virus-ID: HEUR:Backdoor.Java.QRat.gen
>>   X-Response-Info: blocked
>>
>> Maybe you can enable those somehow or there's another URL with more
>> options.
>>
>> --
>> Carsten
>>
>> On 24.07.19 11:31, Rob Gunther wrote:
>> > I am trying to setup scanning against Kaspersky, as an external
>ICAP
>> > service.  Using RSPAMD v1.9.4
>> >
>> > I can see RSPAMD is sending messages to the ICAP service and I can
>see
>> > Kaspersky scanning them.  Kaspersky IS identifying the messages as
>> infected
>> > but the logs on RSPAMD always say the message was reported clean
>like
>> this:
>> >
>> > 2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
>> > kaspersky_icap (icap): message or mime_part is clean
>> >
>> > What is RSPAMD looking for in the return?
>> >
>> > I tested the connection to the ICAP service, from the RSPAMD server
>to
>> > simulate what may be going on, using an icap-client and here is
>what that
>> > returns when the same infected file is sent in:
>> >
>> > ----------
>> > c-icap-client -v -i 192.168.60.128 -p 1344 -s av/reqmod -f
>/tmp/virus.eml
>> > -d 9
>> > ICAP server:192.168.60.128, ip:192.168.48.45, port:1344
>> >
>> > Allocate a new entity of type 1
>> > Allocate a new entity of type 3
>> > Going to add 4 response headers
>> > Add resp header: HTTP/1.0 200 OK
>> > Add resp header: Date: Wed Jul 24 09:29:19 2019
>> > Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
>> > Add resp header: Content-Length: 18605
>> > Preview response was with status: 100
>> > Response was with status:200
>> > Get entity from trash....
>> > Get entity from trash....
>> > OK reading headers, going to read body
>> > <!DOCTYPE html>
>> > <html>
>> >     <head>
>> >         <meta charset="utf-8">
>> >         <title>Access Denied by Kaspersky Web Traffic
>Security</title>
>> >         <style rel="stylesheet" data-href="style.css">
>> >             html { font-family: sans-serif; font-size: 13px;
>min-height:
>> > 480px; min-width: 640px; }
>> >             body { margin: 0; text-align: center; }
>> >             .header { position: absolute; top: 0; left: 0; right:
>0;
>> > height: 36px; line-height: 36px; vertical-align: middle;
>> background-color:
>> > #d74747; color: #ffffff; }
>> >             .content-wrap { position: absolute; top: 36px; left: 0;
>> right:
>> > 0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
>> >             .application { position: absolute; top: 0; height: 30%;
>left:
>> > 0; right: 0; }
>> >             .application h1 { position: absolute; bottom: 0; left:
>0;
>> > right: 0; font-size: 19px; vertical-align: bottom; font-weight:
>normal; }
>> >             .content { position: absolute; height: 70%; bottom: 0;
>left:
>> 0;
>> > right: 0; }
>> >             .text-macro a, .text-macro a:visited, .text-macro
>a:active {
>> > color: #006d5c; text-decoration: none; }
>> >             .description { position: absolute; top: 30%; left: 0;
>right:
>> 0;
>> > }
>> >             .rule, .date { margin: 5px 0; }
>> >             .date { margin-bottom: 10px; }
>> >             .footer { color: #999999; position: absolute; bottom:
>0;
>> left:
>> > 0; right: 0; }
>> >         </style>
>> >     </head>
>> >     <body>
>> >         <div class="header">Access denied</div>
>> >         <div class="content-wrap">
>> >             <div class="application"><h1>Kaspersky Web Traffic
>> > Security</h1></div>
>> >             <div class="content"><div class="text-macro">
>> >     <p>The requested page cannot be provided</p>
>> >     <p>Address: <a></a></p>
>> >     <p class="description">The web resource is prohibited at the
>company.
>> > If you consider
>> >     the blocking to be mistaken or if you need to access this web
>> resource,
>> >     contact the administrator of the local corporate network.</p>
>> > </div>
>> >
>> > <div class="footer">
>> >     <p class="rule">Default Protection Rule</p>
>> >     <p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24
>09:29:20)</p>
>> > </div>
>> > </div>
>> >         </div>
>> >     </body>
>> > </html>
>> >
>> > ICAP HEADERS:
>> >         ICAP/1.0 200 OK
>> >         ISTag: "KWTS_2019-07-24_09"
>> >         Date: Wed, 24 Jul 2019 09:29:20 GMT
>> >         Server: KAV-ICAP-Server/8.0
>> >         X-ICAP-msg-id: x6O9TK185
>> >         Encapsulated: res-hdr=0, res-body=73
>> >
>> > RESPMOD HEADERS:
>> >         HTTP/1.1 403 Forbidden
>> >         Content-Type: text/html
>> >         Content-Length: 2114
>> >
>> > Done
>> > ----------
>> >
>> >
>> > So things seem to be working, but the reply that RSPAMD is getting
>is not
>> > something that it is identifying as an infection.
>> >
>> >
>> > Any ideas?
>> >
>> --
>> Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users
>>

More information about the Users mailing list