From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 9 Apr 2019 12:20:16 +0000 (+0100)
Subject: [Feature] Antivirus: Handle encrypted files specially
X-Git-Tag: 1.9.2~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6614b861a4b0ad518fae972ed509c7d8a983ebf7;p=thirdparty%2Frspamd.git

[Feature] Antivirus: Handle encrypted files specially
---

diff --git a/lualib/lua_scanners/clamav.lua b/lualib/lua_scanners/clamav.lua
index b3a1b20f21..1ff3cdc4fd 100644
--- a/lualib/lua_scanners/clamav.lua
+++ b/lualib/lua_scanners/clamav.lua
@@ -138,7 +138,7 @@ local function clamav_check(task, content, digest, rule)
           local vname = string.match(data, 'stream: (.+) FOUND')
           if string.find(vname, '^Heuristics%.Encrypted') then
             rspamd_logger.errx(task, '%s: File is encrypted', rule.log_prefix)
-            common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'fail')
+            common.yield_result(task, rule, 'File is encrypted: '.. vname, 0.0, 'encrypted')
           elseif string.find(vname, '^Heuristics%.Limits%.Exceeded') then
             rspamd_logger.errx(task, '%s: ClamAV Limits Exceeded', rule.log_prefix)
             common.yield_result(task, rule, 'Limits Exceeded: '.. vname, 0.0, 'fail')
diff --git a/lualib/lua_scanners/common.lua b/lualib/lua_scanners/common.lua
index 9bf2adf444..f35ee372db 100644
--- a/lualib/lua_scanners/common.lua
+++ b/lualib/lua_scanners/common.lua
@@ -79,6 +79,11 @@ local function yield_result(task, rule, vname, dyn_weight, is_fail)
     symbol = rule.symbol_fail
     threat_info = "FAILED with error"
     dyn_weight = 0.0
+  elseif is_fail == 'encrypted' then
+    patterns = rule.patterns
+    symbol = rule.symbol_encrypted
+    threat_info = "Scan has returned that input was encrypted"
+    dyn_weight = 1.0
   end
 
   if type(vname) == 'string' then
diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index 68dcedb64b..70549719f6 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -88,6 +88,10 @@ local function add_antivirus_rule(sym, opts)
     opts.symbol_fail = opts.symbol .. '_FAIL'
   end
 
+  if not opts.symbol_encrypted then
+    opts.symbol_encrypted = opts.symbol .. '_ENCRYPTED'
+  end
+
   -- WORKAROUND for deprecated attachments_only
   if opts.attachments_only ~= nil then
     opts.scan_mime_parts = opts.attachments_only
@@ -99,6 +103,7 @@ local function add_antivirus_rule(sym, opts)
   local rule = cfg.configure(opts)
   rule.type = opts.type
   rule.symbol_fail = opts.symbol_fail
+  rule.symbol_encrypted = opts.symbol_encrypted
   rule.redis_params = redis_params
 
   if not rule then
@@ -158,6 +163,13 @@ if opts and type(opts) == 'table' then
           score = 0.0,
           group = N
         })
+        rspamd_config:register_symbol({
+          type = 'virtual',
+          name = m['symbol_encrypted'],
+          parent = id,
+          score = 0.0,
+          group = N
+        })
         has_valid = true
         if type(m['patterns']) == 'table' then
           if m['patterns'][1] then