[pmg-devel] Antivirus support for Kaspersky Endpoint Security for Linux (kesl)
Davide Bozzelli
davide.bozzelli at gmail.com
Thu Jan 10 12:01:08 CET 2019
And this one is the perl fragment:
sub analyze_virus_kav {
my ($queue, $dname, $pmg_cfg) = @_;
my $timeout = 60*5;
my ($csec, $usec) = gettimeofday();
my $previous_alarm;
my $debug = 0 ;
my $av_cmd = "/opt/kaspersky/kesl/bin/kesl-control" ;
my $av_scan_cmd = "/var/custom/scripts/kav_scan.sh" ;
my $scan_error = 0 ;
my $response = '';
my %hvinfo = () ;
my $vinfo = "none" ;
my $i = 0 ;
my $size = 0 ;
my %hinfo=() ;
# where to write task file (this is a ramcache)
my $work_dir = "/var/custom/work/ramcache" ;
## Task conf - Add here your personal settings
## BUT add it BEFORE [ScanScope.item_1]
my @task_file_contents = (
"FirstAction=Skip",
"ScanMailBases=Yes",
"ScanPlainMail=Yes",
"UseAnalyzer=Yes",
"HeuristicLevel=Medium",
"[ScanScope.item_1]"
) ;
# generate uuid for scan task
srand( time() ^ ($$ + ($$ << 15)) );
my @v = qw ( a e i o u y );
my @c = qw ( b c d f g h j k l m n p q r s t v w x z );
my ($flip, $uuid) = (0,'');
$uuid .= ($flip++ % 2) ? $v[rand(6)] : $c[rand(20)] for 1 .. 9;
$uuid =~ s/(....)/$1 . int rand(10)/e;
$uuid = ucfirst $uuid if rand() > 0.5;
$uuid = "OSD00".$uuid ;
# scan task settings filename
my $task_file = "$work_dir/$uuid.task" ;
# prepare scan task settings file
open my $fh,">>$task_file" ;
print $fh join ("\n", @task_file_contents);
#append filename to scan
print $fh "\nPath=$dname\n" ;
close $fh ;
eval {
$previous_alarm = alarm($timeout);
$SIG{ALRM} = sub {
die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
"virus analyze (kaspersky) failed: ERROR";
};
# find in the kesl db the scan task events related to malware (if
any virus was found)
open(CMD,"-|","$av_scan_cmd $uuid $task_file $dname")
|| die "$queue->{logid}: problem running query events for
kaspersky antivirus engine: $! : ERROR" ;
# loop tru scan task events output to find out the virus
information
while (defined(my $line = <CMD>)) {
$size++ ;
#syslog('info', "line is $line");
$response .= $line;
chomp $line ;
if ( $line =~ /^(\S+)=(\S+)\W*$/ ) {
my $id = $1 ;
my $value = $2 ;
chomp $id if ( defined $id );
chomp $value if ( defined $value ) ;
if ( $id eq 'DetectName' ) {
$vinfo = $value ;
last ;
}
} elsif ( $line =~ /^KAV_ERROR/ ) {
$scan_error = 1 ;
last ;
}
}
close CMD ;
alarm(0); # avoid race conditions
unlink $task_file if ( -e $task_file ) ;
# die in case of scanner error
if ( $scan_error ) {
die "$queue->{logid}: (kaspersky) got undefined output from
" . "virus detector: $response : ERROR";
}
if ( $vinfo ne 'none' ) {
syslog('info', "$queue->{logid}: virus detected:
$vinfo (kaspersky)");
}
}; # end of eval
my $err = $@ ;
alarm($previous_alarm) if ( defined $previous_alarm );
my ($csec_end, $usec_end) = gettimeofday();
$queue->{ptime_kav} = int (($csec_end-$csec)*1000 + ($usec_end -
$usec)/1000);
if ($err) {
syslog ('err', $err);
$vinfo = 'none';
$queue->{errors} = 1;
}
$queue->{vinfo_kav} = $vinfo;
return ( $vinfo ne 'none' ) ? "$vinfo (kaspersky)" : undef;
} # end of sub
On Tue, Jan 8, 2019 at 4:38 PM Davide Bozzelli <davide.bozzelli at gmail.com>
wrote:
> As promised the following is some info about kesl (kaspersky enpoint
> security).
>
> The command line utility to interact with the service
> is: /opt/kaspersky/kesl/bin/kesl-control
> There is no simple way to have a clamdscan like functionality in oder to
> scan a file and get the virus name.
>
> HOW TO RUN A SCAN
> --------------------------------
>
> So after some researching i've found the following steps:
>
> 1) create a task file settings in which i will put the filename to scan,
> something linke:
> FirstAction=Skip
> ScanMailBases=Yes
> ScanPlainMail=Yes
> UseAnalyzer=Yes
> HeuristicLevel=Medium
> [ScanScope.item_1]
> Path=/tmp/eicar_com.zip
>
> 2) create a task: /opt/kaspersky/kesl/bin/kesl-control --create-task
> $task_name --type ODS --file $task_file
>
> 3) run task: /opt/kaspersky/kesl/bin/kesl-control --start-task $task_name
> -W
> the -W parameter force to wait the end of the task
>
> 4) delete task: /opt/kaspersky/kesl/bin/kesl-control --delete-task
> $task_name
>
> 5) run a query to find out scan info about filename AND task:
> /opt/kaspersky/kesl/bin/kesl-control -E --query
> "TaskName=='$task_name' and EventType=='ThreatDetected' and
> ObjectName=='File' and Filename like '%$scan_file%'"
>
> HOW TO INTEGRATE WITH PMG-SMTP-FILTER
> -------------------------------------------------------------------
>
> Early i haved used system() to run various command but this leads in a
> fork() for each command.
> I've prefer then to put all the tasks operation in a shell script and
> then let run it from perl code.
> In this way the perl code is more or less similar to the other used for
> avast or clamd.
>
> I'm going to post perl and shell code in a separate mail on this list
> under this thread.
>
> Thx
>
>
>
>
>
>
> On Tue, Jan 8, 2019 at 12:48 PM Stoiko Ivanov <s.ivanov at proxmox.com>
> wrote:
>
>> Hi,
>>
>> Thank you for providing the links and the time you spent integrating it!
>>
>> I'll give it a look and will try to post my results here this week.
>>
>>
>>
>> On Fri, 28 Dec 2018 15:53:01 +0100
>> Davide Bozzelli <davide.bozzelli at gmail.com> wrote:
>>
>> > Basically the product is one: kaspersky endpoint security for linux,
>> > sold in two version
>> > 1) as endpoint product (standalone av)
>> > 2) as specifically for file server
>> >
>> > LINKS:
>> > 1)
>> > https://www.kaspersky.com/small-to-medium-business-security/file-server
>> > 2)
>> >
>> https://www.kaspersky.com/small-to-medium-business-security/endpoint-linux
>> >
>> > Pricing for 1 license of "kaspersky security for file server" is
>> > circa 400 euros.
>> > Price seems to be fair.
>> > AV is daemonized and performace seems to be good (but more slower than
>> > avast/clamd).
>> > Deb package exists for debian and it's easily to download and test.
>> > There is not a simple command line interface like clamdscan or
>> > scan/avast but i was able
>> > to simulate it.
>> >
>> > Thx
>> >
>> >
>> >
>> > On Fri, Dec 28, 2018 at 3:10 PM Dietmar Maurer <dietmar at proxmox.com>
>> > wrote:
>> >
>> > > > As per topic, I was able to integrate the kaspersky antivirus with
>> > > > pmg-smtp-filter.
>> > > > I would'nt give any implementation's details here as don't know
>> > > > if could
>> > > be
>> > > > interesting
>> > > > for the product.
>> > > >
>> > > > Do you think would be useful ?
>> > >
>> > > What is the pricing of that product? Do you have a link to the
>> > > product page?
>> > >
>> > >
>> >
>>
>>
>> _______________________________________________
>> pmg-devel mailing list
>> pmg-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>>
>
>
> --
> Got problems with Windows? - ReBooT
> Got problems with Linux? - Be RooT
>
--
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20190110/f53dae5a/attachment.html>
More information about the pmg-devel
mailing list