Feature #2897

Support Sanesecurity Foxhole

Added by Filippo Carletti about 5 years ago. Updated almost 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-antivirus
Target version:v6.5
Resolution: NEEDINFO:Yes

Description

I'd like to have support for the new Foxhole clamav sigs (http://sanesecurity.com/foxhole-databases/).
Two steps required:
1. add dbs to /etc/e-smith/templates/etc/clamav-unofficial-sigs/clamav-unofficial-sigs.conf/20dbs
2. tell amavisd to treat foxhole as viruses

1:

@@ -149,6 +149,8 @@
    crdfam.clamav.hdb
    phishtank.ndb
    porcupine.ndb
+ foxhole_generic.cdb
+ foxhole_filename.cdb
 " 

2:

# cat /etc/e-smith/templates-custom/etc/amavisd.conf/96block_all_virus
@virus_name_to_spam_score_maps = ();

Clearing virus2spam cores seems aggressive, but I couldn't find a suitable regexp.

amavisd-virus-score.txt Magnifier - virus_name_to_spam_score_maps content (3.11 KB) Davide Principi, 11/21/2014 12:14 PM


Related issues

Related to NethServer 6 - Enhancement #2924: Fetchmail support for AD users CLOSED

Associated revisions

Revision f33b848b
Added by Davide Principi almost 5 years ago

Enabled Sanesecurity Foxhole DB. Refs #2897

Revision 1904950e
Added by Davide Principi almost 5 years ago

amavisd.conf: remove default virus mappings to spam score. Refs #2897

The default amavis configuration maps some AV results to SPAM. This
setting considers such results as viruses.

History

#1 Updated by Davide Principi almost 5 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Davide Principi almost 5 years ago

#3 Updated by Davide Principi almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#4 Updated by Davide Principi almost 5 years ago

This is the content of @virus_name_to_spam_score_maps after appending Sanesecurity.Foxhole (see attached file).

#5 Updated by Davide Principi almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#6 Updated by Davide Principi almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-filter-1.2.0-1.0git1904950e.ns6
nethserver-antivirus-1.1.0-1.0gitf33b848b.ns6

#7 Updated by Stefano Fancello almost 5 years ago

  • Assignee set to Stefano Fancello

#8 Updated by Stefano Fancello almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee changed from Stefano Fancello to Filippo Carletti
  • % Done changed from 70 to 90
  • NEEDINFO changed from No to Yes

I've tried this [[http://sanesecurity.com/foxhole-databases/]], foxhole_generic, sending a mail with attached a zip file containing .pif filled with random data. The mail server responded: 5.7.0 Reject, id=14999-03 - BANNED: CLASS Exec:.dat,test.pif.

==> /var/log/maillog <==
Dec  3 11:51:50 makako submission/smtpd[21302]: connect from pc-stefano.nethesis.it[192.168.5.14]
Dec  3 11:51:55 makako submission/smtpd[21302]: NOQUEUE: client=pc-stefano.nethesis.it[192.168.5.14], sasl_method=PLAIN, sasl_username=test1
Dec  3 11:52:04 makako amavis[14999]: (14999-03) Blocked BANNED (CLASS Exec:.dat,test.pif) {RejectedInternal,Quarantined}, SUBMISSION/MYNETS LOCAL [192.168.X.X]:41280 [192.168.X.X] <test1@menghesis.it> -> <test1@menghesis.it>, Message-ID: <547EEB44.8050806@menghesis.it>, mail_id: mEe_wZlThO-Q, Hits: -, size: 1373, 10379 ms
Dec  3 11:52:04 makako submission/smtpd[21302]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=14999-03 - BANNED: CLASS Exec:.dat,test.pif; from=<test1@menghesis.it> to=<test1@menghesis.it> proto=ESMTP helo=<pc-stefano.nethesis.it>
Dec  3 11:52:47 makako submission/smtpd[21302]: disconnect from pc-stefano.nethesis.it[192.168.X.X]

So I think that this could be considered VERIFIED, but I'm not sure because of the other test that I've tried (following test case descripted here [[http://sanesecurity.com/support/signature-testing/]]) fails under certain circumstances:
Test 1, html formatted mail with signature in body, is PASSED, mail is blocked

554 5.7.0 Reject, id=14999-01 - INFECTED: Sanesecurity.TestSig_Type3_Bdy.4.UNOFFICIAL;

Test 2, with sign in email subject fails, and email is delivered
Test 3 fails if email is sended normally using thunderbird (by the same account on same server) and pass (email is blocked) if sended by smtptest
5.7.0 Reject, id=14998-04 - INFECTED: Sanesecurity.TestSig_Type4_Bdy.3.UNOFFICIAL

#9 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee deleted (Filippo Carletti)

#10 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-mail-filter-1.2.1-1.ns6.noarch.rpm
  • nethserver-antivirus-1.1.1-1.ns6.noarch.rpm

Also available in: Atom PDF