rigacci.org

User Tools

Site Tools

Trace: Antivirus con Procmail, Sanitizer e ClamAV
doc:appunti:linux:sa:procmail_sanitizer_clamav

This is an old revision of the document!

Table of Contents

Antivirus con Procmail, Sanitizer e ClamAV

Procmail

Se si utilizza procmail come local delivery agent, è sufficiente aggiungere questa regola in $HOME/.procmailrc per abilitare il filtro antivirus tramite il programma sanitizer: 

#-------------------------------------------------------------------------
# $HOME/.procmailrc
#-------------------------------------------------------------------------
PATH=/usr/local/bin:/usr/bin:/bin
SHELL=/bin/bash
MAILDIR=$HOME/Maildir/
ORGMAIL=$MAILDIR
DEFAULT=$MAILDIR
#LOGFILE=$HOME/procmail.log
#VERBOSE=yes
#-------------------------------------------------------------------------
# Filter the mail with ClamAV
#-------------------------------------------------------------------------
:0 fw
| /usr/bin/sanitizer /etc/sanitizer.cfg

Sanitizer

Il programma sanitizer si configura tramite /etc/sanitizer.cfg: 

#-------------------------------------------------------------------------
# Active features.
#-------------------------------------------------------------------------
feat_verbose      = 0    # Warn user about unscanned parts, etc.
feat_log_inline   = 0    # Inline logs: 0 = Off, 1 =  Maybe, 2 = Force
feat_log_stderr   = 0    # Print log to standard error.
feat_log_xml      = 0    # Don't use XML format for logs.
feat_log_trace    = 0    # Omit trace info from logs.
feat_log_after    = 0    # Don't add any scratch space to part headers.
feat_files        = 1    # Enable filename-based policy decisions.
feat_mime_files   = 1    # Always check the mime-type's default name too.
feat_force_name   = 0    # Force all parts (except text/html parts) to
                         # have file names.
feat_boundaries   = 0    # Replace all boundary strings with our own
                         # NOTE:  Always breaks PGP/MIME messages!
feat_lengths      = 1    # Protect against buffer overflows and null
                         # values.
feat_scripts      = 1    # Defang incoming shell scripts.
feat_html         = 0    # Defang active HTML content.
feat_webbugs      = 0    # Web-bugs are allowed.
feat_trust_pgp    = 0    # Don't scan PGP signed message parts.
feat_uuencoded    = 1    # Sanitize inline uuencoded files.
feat_forwards     = 1    # Sanitize forwarded messages.
feat_testing      = 0    # This isn't a test-case configuration.
feat_fixmime      = 1    # Fix invalid MIME, if possible.
feat_paranoid     = 0    # Don't be excessively paranoid about MIME headers etc.

#-------------------------------------------------------------------------
# Create saved files using this template. The directory must exist and
# be writable by the user running the sanitizer.
#    $d - Day of month (01-31)
#    $m - Month number (01-12)
#    $y - Two digit year (00-99)
#    $Y - Four digit year
#    $H - Hour (00-23)
#    $M - Minute (00-59)
#    $S - Second (00-59)
#
#    $P - This process's PID, in hex.
#    $T - The current Unix time, in hex.
#    $T - The current Unix time, in hex.
#    $F - A safe version of the original file name.
#    $  - A random character, from [A-Z0-9].
#-------------------------------------------------------------------------
file_name_tpl = /home/quarantine/$Y$m$d-$T-$F.$$

#-------------------------------------------------------------------------
# Message used to replace attachments saved and removed.
#-------------------------------------------------------------------------
msg_file_save  = *****ANTIVIRUS*****\n
msg_file_save += ATTENZIONE:\n
msg_file_save += Questa mail conteneva in allegato il file "%FILENAME"\n
msg_file_save += che e' risultato infetto da virus o potenzialmente dannoso.\n
msg_file_save += Il file e' stato rimosso al fine di evitarne la diffusione involontaria.\n
msg_file_save += %SAVEDNAME\n
msg_file_save += *******************\n

#-------------------------------------------------------------------------
# We have 2 policies, in addition to the file_default_policy.
#-------------------------------------------------------------------------
file_list_rules = 2

#-------------------------------------------------------------------------
# 1) Scan some attachments for virus with Clam AntiVirus.
#-------------------------------------------------------------------------
# This policy apply to attachments whose file name did not match any
# previous policy and matches this regular expression.
# The policy action can be:
#
#   accept   Don't alter the attachment at all.
#   defang   Alter the attachment's file name.
#   mangle   Change completely the attachment's file name.
#   save     Remove the attachment from the message, replace it with a
#            text message and save the attachment into a local file.
#   drop     The attachment will be deleted and replaced with message.
#   unknown  Indeterminate result, check the next policy.
#
#-------------------------------------------------------------------------
# Archives, executables, scripts, etc. This is a perl regular
# expression, see "man perlre" for info. The (?i) prefix makes
# the regexp case insensitive.
file_list_1  = (?i)\.(
file_list_1 += 7z|bat|com|chm|cmd|cpl|exe|pif|scr|sys
file_list_1 += |dat|doc|m?db|ppt|pps|ppsx|rtf|xls|xlsm|xlsx|wp.?
file_list_1 += |class|pl|vb[es]|[sp]?html?|php\d?
file_list_1 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz|g?z|bz\d?
file_list_1 += )$

# Virus scanner command line. The three exit codes represent the
# following scan conditions: clean, disinfected, infected.
file_list_1_scanner = 0:1:1:/usr/bin/clamdscan --fdpass --quiet %FILENAME

# What policy to apply for each exit code, plus a catch-all default.
file_list_1_policy  = unknown:save:save:unknown


#-------------------------------------------------------------------------
# 2) White list, this extensions (or Content-Type) will be accepted.
#-------------------------------------------------------------------------
file_list_2  = (?i)\.(
file_list_2 += 7z|ai|ang|an6|asc|bmp|bz2|cl|csv|dat|doc|docx|dwg|dxf|fh|gif|gz|html?|ics|indd
file_list_2 += |jc3|jc4|jc5|jpe?g|m?db|mov|p7m|od[btsgfp]|ot[btspgf]|pcx|pdf|png|pps|ppsx|ppt|pptx
file_list_2 += |psd|pub|rtf|snp|sxc|tiff?|tgz|txt|vcf|wav|wp.?|xls|xlsm|xlsx|xml|zip
file_list_2 += )$
file_list_2_scanner = 0;
file_list_2_policy = accept;


#-------------------------------------------------------------------------
# Default policy: accept, but mangle file name.
#-------------------------------------------------------------------------
file_default_policy = defang

#-------------------------------------------------------------------------
# String used to mangle file names.
#-------------------------------------------------------------------------
msg_defanged = ANTIVIRUS

Cosa succede se clamd è fermo

Questi sono gli exit code del prorgamma clamdscan:

0 File OK.
1 Infected file.
2 Could not connect to clamd on LocalSocket.

Quindi se il demone non risponde si ottiene un codice di uscita 2, quindi non si applicano le tre possibili condizioni (clean, disinfected, infected), verrà applicata la policy catch-all, che nell'esempio sopra è save (rimozione del file e salvataggio in quarantena).

FIXME: Forse questa non è la condizione ottimale, altrimenti una interruzione dell'antivirus porta alla perdita di tutti gli allegati.

doc/appunti/linux/sa/procmail_sanitizer_clamav.1592465533.txt.gz · Last modified: by niccolo