[pmg-devel] Antivirus support for Kaspersky Endpoint Security for Linux (kesl)

Stoiko Ivanov s.ivanov at proxmox.com
Mon Jan 14 21:30:52 CET 2019 

Hi,

I finally managed to take a look at kesl and your implementation.

Thanks for providing the overview of kesl! - it did indeed save a ton of
time - and this is where my doubt comes in, whether it would be a good
fit for direct inclusion into PMG:
* The whole kesl-suite seems tailored towards being an "Endpoint
  scanner" - i.e. a service that runs constantly and hangs itself into
  various I/O APIs to clean out infected files upon access - iow - a
  virus-scannner like I know it from my Windows days.
* The asynchronous nature of the scans (despite the -W switch blocking
  until a scan is through) - with scheduling a scan and then reading
  the task-log for an variable number of threats[0], seems a bit fragile
* I'm not sure about the stability of the scan-settings format and
  could imagine that it changes between versions -
  meaning it could break a running installation with an update of the
  virus-scanner

All of the above points make it seem to me, that the integration is a
bit too involved for an API, where I'd like to provide a file and
get 'OK'/'Infected - $virus' back (probably a bit simplified).

OTOH there seems to be some demand by users to integrate other
virus-scanners apart from ClamAV and Avast (e.g. [1], but also a few
threads in our forum) - and I think we probably should include a generic
"custom_scan" plugin, where people can define a script, which gets a
file to be scanned, does its thing (potentially passing it to multiple
virus-scanners) within a given time, and returns the output to PMG
(OK/Infected/Error - probably with some additional text for logging)

This would additionally enable users to use solutions, we could not
integrate into PMG, for licensing reasons (e.g. services which are free
for private use only, or rate-limited).

Regarding your provided integration and code - It looks ok from a quick
glance! Some minor remarks:
* I would have probably outsourced most of the
  kesl-handling to `/var/custom/scripts/kav_scan.sh` (and rewritten it
  in perl or a language, which makes string handling easier).
* You probably could skip the create-task/start-task/delete-task chain,
  by using the --scan-file option (it relies on the `Scan_File`
  settings, which you can set once (and then provide the file-name to
  be scanned on the command-line) - 
  `kesl-control --scan-file /tmp/eicar.txt` worked for me.
* minor nit: I would probably leave UUID-generation to a library
  (although we are not too fond of pulling in more dependencies) - but
  in this case you probably would be on the save side with mkstemp (or
  File::Temp in perl)

Does the custom scan script sound like a good compromise for your
use-case?

Thanks for investing your time and sharing your solution!
stoiko


[0] I managed to get 7 events for one .xls attached to a SPAM-Message
[1] https://bugzilla.proxmox.com/show_bug.cgi?id=1988

On Tue, 8 Jan 2019 16:38:07 +0100
Davide Bozzelli <davide.bozzelli at gmail.com> wrote:

> As promised the following is some info about kesl (kaspersky enpoint
> security).
> 
> The command line utility to interact with the service
> is: /opt/kaspersky/kesl/bin/kesl-control
> There is no simple way to have  a clamdscan like functionality in
> oder to scan a file and get the virus name.
> 
> HOW TO RUN A SCAN
> --------------------------------
> 
> So after some researching i've found the following steps:
> 
> 1) create a task file settings in which i will put the filename to
> scan, something linke:
> FirstAction=Skip
> ScanMailBases=Yes
> ScanPlainMail=Yes
> UseAnalyzer=Yes
> HeuristicLevel=Medium
> [ScanScope.item_1]
> Path=/tmp/eicar_com.zip
> 
> 2) create a task: /opt/kaspersky/kesl/bin/kesl-control --create-task
> $task_name --type ODS --file $task_file
> 
> 3) run task: /opt/kaspersky/kesl/bin/kesl-control --start-task
> $task_name -W
>      the -W parameter force to wait the end of the task
> 
> 4) delete task: /opt/kaspersky/kesl/bin/kesl-control --delete-task
> $task_name
> 
> 5) run a query to find out scan info about filename AND task:
>     /opt/kaspersky/kesl/bin/kesl-control -E --query
> "TaskName=='$task_name' and EventType=='ThreatDetected' and
> ObjectName=='File' and Filename like '%$scan_file%'"
> 
> HOW TO INTEGRATE WITH PMG-SMTP-FILTER
> -------------------------------------------------------------------
> 
> Early i haved used system() to run various command but this leads in a
> fork() for each command.
> I've prefer then to put all the  tasks operation in a shell script
> and then let run it from perl code.
> In this way the perl code is more or less similar to the other used
> for avast or clamd.
> 
> I'm going to post perl and shell code in a separate mail on this list
> under this thread.
> 
> Thx
> 
> 
> 
> 
> 
> 
> On Tue, Jan 8, 2019 at 12:48 PM Stoiko Ivanov <s.ivanov at proxmox.com>
> wrote:
> 
> > Hi,
> >
> > Thank you for providing the links and the time you spent
> > integrating it!
> >
> > I'll give it a look and will try to post my results here this week.
> >
> >
> >
> > On Fri, 28 Dec 2018 15:53:01 +0100
> > Davide Bozzelli <davide.bozzelli at gmail.com> wrote:
> >  
> > > Basically the product is one: kaspersky endpoint security for
> > > linux, sold in two version
> > > 1) as endpoint product (standalone av)
> > > 2) as specifically for file server
> > >
> > > LINKS:
> > > 1)
> > > https://www.kaspersky.com/small-to-medium-business-security/file-server
> > > 2)
> > >  
> > https://www.kaspersky.com/small-to-medium-business-security/endpoint-linux  
> > >
> > > Pricing for 1 license of  "kaspersky security for file server" is
> > > circa 400 euros.
> > > Price seems to be fair.
> > > AV is daemonized and performace seems to be good (but more slower
> > > than avast/clamd).
> > > Deb package exists for debian and it's easily to download and
> > > test. There is not a simple command line interface like clamdscan
> > > or scan/avast but i was able
> > > to simulate it.
> > >
> > > Thx
> > >
> > >
> > >
> > > On Fri, Dec 28, 2018 at 3:10 PM Dietmar Maurer
> > > <dietmar at proxmox.com> wrote:
> > >  
> > > > > As per topic, I was able to integrate the kaspersky antivirus
> > > > > with pmg-smtp-filter.
> > > > > I would'nt give any implementation's details here as don't
> > > > > know if could  
> > > > be  
> > > > > interesting
> > > > > for the product.
> > > > >
> > > > > Do you think would be useful ?  
> > > >
> > > > What is the pricing of that product? Do you have a link to the
> > > > product page?
> > > >
> > > >  
> > >  
> >
> >
> > _______________________________________________
> > pmg-devel mailing list
> > pmg-devel at pve.proxmox.com
> > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
> >  
> 
>

More information about the pmg-devel mailing list