[pmg-devel] Antivirus support for Kaspersky Endpoint Security for Linux (kesl)

Mon Jan 14 22:28:49 CET 2019

Hi Stoiko
Thx for your detailed analysis
I will respond inline:

Il 14/01/19 21:30, Stoiko Ivanov ha scritto:
> Regarding your provided integration and code - It looks ok from a quick
> glance! Some minor remarks:
> * I would have probably outsourced most of the
>    kesl-handling to `/var/custom/scripts/kav_scan.sh` (and rewritten it
>    in perl or a language, which makes string handling easier).
I've written in bash to avoid multiple forks involved by calling various 
kesl-control tru system() in perl
directly from pmg-smtp-filter.

> * You probably could skip the create-task/start-task/delete-task chain,
>    by using the --scan-file option (it relies on the `Scan_File`
>    settings, which you can set once (and then provide the file-name to
>    be scanned on the command-line) -
Yes this was my first experiment but ending in a way i could not find
virus name from output:

root at mailgw3:/var/custom/dev/kav# /opt/kaspersky/kesl/bin/kesl-control 
--scan-file /tmp/eicar_com.zip --action skip
Scanned objects                     : 2
Total detected objects              : 1
Infected objects and other objects  : 2
Disinfected objects                 : 0
Moved to Storage                    : 0
Removed objects                     : 0
Not disinfected objects             : 1
Scan errors                         : 0
Password-protected objects          : 0
Skipped                             : 0

As  you can see from the output i'm getting only infected objects and 
NOT the virus name.
So seems that create task/delete task with a unique uuid would be a MUST 
in order to get
a detailed info (eg: virus name) from kesl log.
>    `kesl-control --scan-file /tmp/eicar.txt` worked for me.
> * minor nit: I would probably leave UUID-generation to a library
>    (although we are not too fond of pulling in more dependencies) - but
>    in this case you probably would be on the save side with mkstemp (or
>    File::Temp in perl)
I've preferred using a "simple" diy approach to generate the uuid 
(shameless borrowed code from somewhere on the net)

>
> Does the custom scan script sound like a good compromise for your
> use-case?
>
> Thanks for investing your time and sharing your solution!
> stoiko
>
>
> [0] I managed to get 7 events for one .xls attached to a SPAM-Message
Regarding events, I use the same approach of getting virus name from 
other virus scan (mostly clamav sub),
simple get the first virus name from the output.
FYI: kesl logs the events in a sqlite which would be readed directly 
from perl (eg: pmg-smtp-filter).

I'm agree with you that something could change in kesl output and then 
makes parsing  useless, i will test
in the following months and let you know if this become true.

Thx for you time.

-- 
Davide Bozzelli
System Engineer

General Computer Italia SpA
Il Girasole   Pal. 8/03A
20084 Lacchiarella (MI)
Tel. +39  02 9009 2830
Fax.+39  02 9009 2833
www.gci.it

--------------------------------
CONFIDENTIALITY NOTICE

Questo messaggio e' destinato alle sole persone indicate e puo' contenere
informazioni riservate.
Se ricevuto per errore, si prega di avvisare immediatamente il mittente e
cancellare l'originale.
Ogni altro uso del messaggio e' vietato!
****
This message is for the designated recipient(s) only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete the
original message.
Any other use of the email by you is prohibited!
-------------------------------- 