[Rspamd-Users] Antivirus patterns_fail and force_actions

Carsten Rosenberg cr at ncxs.de
Thu Mar 18 08:45:25 UTC 2021 

On 18.03.21 07:24, Friedrichs, Jens wrote:
> Hello,
> 
> I had the same problem with the oletools and the use in a force action.
> To solve this you can try to convert your force action from a prefilter to a postfilter.
> 
> Try to add following line to your force action:
> require_action = ["no action", "greylist", "reject", "add header", "rewrite subject"];
> 
> best regards
> 
> -----Ursprüngliche Nachricht-----
> Von: Users <users-bounces at lists.rspamd.com> Im Auftrag von Zbynek Jun via Users
> Gesendet: Mittwoch, 17. März 2021 23:20
> An: Users at lists.rspamd.com
> Cc: Zbynek Jun <postmaster at junix.cz>
> Betreff: [Extern] [Rspamd-Users] Antivirus patterns_fail and force_actions
> 
> Hello,
> 
> 	i redefined symbol name for some antivirus fail states in antivirus.conf
> 
>   patterns_fail {
>     # symbol_name = "pattern";
>     SOPHOS_FAILED = '^failed to scan and retransmits exceed$';
>   } 
> 
> and added coresponding section in force_actions.conf
> 
>   SOFT_REJECT_VIRUS_SCAN_FAIL {
>     action = "soft reject";
>     expression = "SOPHOS_FAILED";
>     message = "Rejected due to temporary system problem";
>   }
> 
> but symbol seems to be unknown for force_action module
> 
> # rspamadm configtest
> cannot find dependency on symbol SOPHOS_FAILED for symbol FORCE_ACTION_SOFT_REJECT_VIRUS_SCAN_FAIL
> 
> and also antivirus module logs some complaints.
> 
> proxy; lua_task_insert_result_common: symbol insertion issue: unknown symbol SOPHOS_FAILED; trace: [1]:{/usr/share/rspamd/lualib/lua_scanners/common.lua:110 - yield_result [Lua]}; [2]:{/usr/share/rspamd/lualib/lua_scanners/sophos.lua:118 - <unknown> [Lua]};
> 
> Adding symbols to antivirus_group.conf did not help.
> 
> Any hints ?
> 
> Thanks
> 
> Zbynek J.
>

Hey,

in contrast to patterns, the symbols of patterns_fail were not
registered by the plugin.

https://github.com/rspamd/rspamd/pull/3681


> I had the same problem with the oletools and the use in a force action.
> To solve this you can try to convert your force action from a
prefilter to a postfilter.


Here the require is needed because oletools is running as postfilter.
Sophos in running in normal stage.

Carsten

More information about the Users mailing list