Using multiple actions for the Antivirus module
352 views
Skip to first unread message
Alex JOST
Jan 20, 2017, 4:03:42 PM1/20/17
to rsp...@googlegroups.com
Dear all,
we are currently evaluating if rspamd can replace amavisd for us and how
to achieve a setup that works similar. We want to trigger different
actions depending on the ClamAV signature detected. For example adding a
score if a certain signature is detected and rejecting the message if
any other signature is detected.
Would that be possible? Has someone already made this work?
Below some configuration that I was hoping would do the trick but no
luck so far.
# rspamd.conf.local:
antivirus {
clamav {
action = "reject";
patterns {
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
}
# local.d/metrics.conf:
symbol "JUST_EICAR" {
action = "reject";
description = "Eicar-Test-Signature";
}
--
Alex JOST
we are currently evaluating if rspamd can replace amavisd for us and how
to achieve a setup that works similar. We want to trigger different
actions depending on the ClamAV signature detected. For example adding a
score if a certain signature is detected and rejecting the message if
any other signature is detected.
Would that be possible? Has someone already made this work?
Below some configuration that I was hoping would do the trick but no
luck so far.
# rspamd.conf.local:
antivirus {
clamav {
action = "reject";
patterns {
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
}
# local.d/metrics.conf:
symbol "JUST_EICAR" {
action = "reject";
description = "Eicar-Test-Signature";
}
--
Alex JOST
Andrew Lewis
Jan 20, 2017, 5:16:23 PM1/20/17
to rsp...@googlegroups.com
Hi Alex,
If `action` is set in scanner configuration it's applied to all
matches (stuff in `patterns` included). You could use a rule instead
of this setting:
https://rspamd.com/doc/faq.html#how-can-i-restore-the-old-spf-behaviour
Best,
-AL.
If `action` is set in scanner configuration it's applied to all
matches (stuff in `patterns` included). You could use a rule instead
of this setting:
https://rspamd.com/doc/faq.html#how-can-i-restore-the-old-spf-behaviour
Best,
-AL.
Alex JOST
Jan 22, 2017, 3:12:25 PM1/22/17
to rsp...@googlegroups.com
[resending to list for completeness]
Hello Andrew,
Thanks for the suggested solution. Unfortunately I'm not familiar with
Lua (yet).
Actually I've found a quite simple solution after I gave it a second
thought today. Don't know why I haven't thought of it before.
# rspamd.conf.local:
antivirus {
clamav {
symbol = "CLAM_VIRUS";
description = "Eicar-Test-Signature";
}
symbol "CLAM_VIRUS" {
score = 100.0;
description = "Possibly malware detected by ClamAV signatures";
}
The default action for ClamAV is now unset but a default symbol is
assigned if no patterns are matched. The default symbol sets a high
score to make sure the message gets rejected.
--
Alex JOST
Hello Andrew,
Lua (yet).
Actually I've found a quite simple solution after I gave it a second
thought today. Don't know why I haven't thought of it before.
# rspamd.conf.local:
antivirus {
clamav {
symbol = "CLAM_VIRUS";
patterns {
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
}
# local.d/metrics.conf:
symbol "JUST_EICAR" {
score = 7.0;
JUST_EICAR = "^Eicar-Test-Signature$";
}
}
}
# local.d/metrics.conf:
symbol "JUST_EICAR" {
description = "Eicar-Test-Signature";
}
symbol "CLAM_VIRUS" {
score = 100.0;
description = "Possibly malware detected by ClamAV signatures";
}
The default action for ClamAV is now unset but a default symbol is
assigned if no patterns are matched. The default symbol sets a high
score to make sure the message gets rejected.
--
Alex JOST
Reply all
Reply to author
Forward
0 new messages