[pmg-devel] Antivirus support for Kaspersky Endpoint Security for Linux (kesl)

Christian Heutger christian at heutger.net
Mon Jan 14 22:18:29 CET 2019


Hi,

thanks for your open answer. I believe, antivirus scanners is a big issue with PMG. I'm afraid, I opened the discussion some days ago and get a bit of suck after checking the alternatives. It really looks like the antivirus developers try to establish themselves on the field of antispam solutions, as they look fitting well into their portfolio, so they don't or stop to provide solutions for integration. So most ones I found are not able to run demonized, are only available via API for deep integration (like being OEM licensed) or finally are much too expensive (e.g. depending on the number of users/mailboxes). So I now also adopt Avast, although I'm far away from being a big fan of Avast, the only alternatives I currently see are to purchase some/many of the ClamAV additional signatures (without any statistics information, if they are really such good as the established antivirus software products) or already having any antivirus solution based on users rolled out (like KESL), resulting in no additional fees for extra installations.

Regards,
Christian

´╗┐Am 14.01.19, 21:32 schrieb "pmg-devel im Auftrag von Stoiko Ivanov" <pmg-devel-bounces at pve.proxmox.com im Auftrag von s.ivanov at proxmox.com>:

    Hi,
    
    I finally managed to take a look at kesl and your implementation.
    
    Thanks for providing the overview of kesl! - it did indeed save a ton of
    time - and this is where my doubt comes in, whether it would be a good
    fit for direct inclusion into PMG:
    * The whole kesl-suite seems tailored towards being an "Endpoint
      scanner" - i.e. a service that runs constantly and hangs itself into
      various I/O APIs to clean out infected files upon access - iow - a
      virus-scannner like I know it from my Windows days.
    * The asynchronous nature of the scans (despite the -W switch blocking
      until a scan is through) - with scheduling a scan and then reading
      the task-log for an variable number of threats[0], seems a bit fragile
    * I'm not sure about the stability of the scan-settings format and
      could imagine that it changes between versions -
      meaning it could break a running installation with an update of the
      virus-scanner
    
    All of the above points make it seem to me, that the integration is a
    bit too involved for an API, where I'd like to provide a file and
    get 'OK'/'Infected - $virus' back (probably a bit simplified).
    
    OTOH there seems to be some demand by users to integrate other
    virus-scanners apart from ClamAV and Avast (e.g. [1], but also a few
    threads in our forum) - and I think we probably should include a generic
    "custom_scan" plugin, where people can define a script, which gets a
    file to be scanned, does its thing (potentially passing it to multiple
    virus-scanners) within a given time, and returns the output to PMG
    (OK/Infected/Error - probably with some additional text for logging)
    
    This would additionally enable users to use solutions, we could not
    integrate into PMG, for licensing reasons (e.g. services which are free
    for private use only, or rate-limited).
    
    Regarding your provided integration and code - It looks ok from a quick
    glance! Some minor remarks:
    * I would have probably outsourced most of the
      kesl-handling to `/var/custom/scripts/kav_scan.sh` (and rewritten it
      in perl or a language, which makes string handling easier).
    * You probably could skip the create-task/start-task/delete-task chain,
      by using the --scan-file option (it relies on the `Scan_File`
      settings, which you can set once (and then provide the file-name to
      be scanned on the command-line) - 
      `kesl-control --scan-file /tmp/eicar.txt` worked for me.
    * minor nit: I would probably leave UUID-generation to a library
      (although we are not too fond of pulling in more dependencies) - but
      in this case you probably would be on the save side with mkstemp (or
      File::Temp in perl)
    
    Does the custom scan script sound like a good compromise for your
    use-case?
    
    Thanks for investing your time and sharing your solution!
    stoiko
    
    
    [0] I managed to get 7 events for one .xls attached to a SPAM-Message
    [1] https://bugzilla.proxmox.com/show_bug.cgi?id=1988
    
    On Tue, 8 Jan 2019 16:38:07 +0100
    Davide Bozzelli <davide.bozzelli at gmail.com> wrote:
    
    > As promised the following is some info about kesl (kaspersky enpoint
    > security).
    > 
    > The command line utility to interact with the service
    > is: /opt/kaspersky/kesl/bin/kesl-control
    > There is no simple way to have  a clamdscan like functionality in
    > oder to scan a file and get the virus name.
    > 
    > HOW TO RUN A SCAN
    > --------------------------------
    > 
    > So after some researching i've found the following steps:
    > 
    > 1) create a task file settings in which i will put the filename to
    > scan, something linke:
    > FirstAction=Skip
    > ScanMailBases=Yes
    > ScanPlainMail=Yes
    > UseAnalyzer=Yes
    > HeuristicLevel=Medium
    > [ScanScope.item_1]
    > Path=/tmp/eicar_com.zip
    > 
    > 2) create a task: /opt/kaspersky/kesl/bin/kesl-control --create-task
    > $task_name --type ODS --file $task_file
    > 
    > 3) run task: /opt/kaspersky/kesl/bin/kesl-control --start-task
    > $task_name -W
    >      the -W parameter force to wait the end of the task
    > 
    > 4) delete task: /opt/kaspersky/kesl/bin/kesl-control --delete-task
    > $task_name
    > 
    > 5) run a query to find out scan info about filename AND task:
    >     /opt/kaspersky/kesl/bin/kesl-control -E --query
    > "TaskName=='$task_name' and EventType=='ThreatDetected' and
    > ObjectName=='File' and Filename like '%$scan_file%'"
    > 
    > HOW TO INTEGRATE WITH PMG-SMTP-FILTER
    > -------------------------------------------------------------------
    > 
    > Early i haved used system() to run various command but this leads in a
    > fork() for each command.
    > I've prefer then to put all the  tasks operation in a shell script
    > and then let run it from perl code.
    > In this way the perl code is more or less similar to the other used
    > for avast or clamd.
    > 
    > I'm going to post perl and shell code in a separate mail on this list
    > under this thread.
    > 
    > Thx
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tue, Jan 8, 2019 at 12:48 PM Stoiko Ivanov <s.ivanov at proxmox.com>
    > wrote:
    > 
    > > Hi,
    > >
    > > Thank you for providing the links and the time you spent
    > > integrating it!
    > >
    > > I'll give it a look and will try to post my results here this week.
    > >
    > >
    > >
    > > On Fri, 28 Dec 2018 15:53:01 +0100
    > > Davide Bozzelli <davide.bozzelli at gmail.com> wrote:
    > >  
    > > > Basically the product is one: kaspersky endpoint security for
    > > > linux, sold in two version
    > > > 1) as endpoint product (standalone av)
    > > > 2) as specifically for file server
    > > >
    > > > LINKS:
    > > > 1)
    > > > https://www.kaspersky.com/small-to-medium-business-security/file-server
    > > > 2)
    > > >  
    > > https://www.kaspersky.com/small-to-medium-business-security/endpoint-linux  
    > > >
    > > > Pricing for 1 license of  "kaspersky security for file server" is
    > > > circa 400 euros.
    > > > Price seems to be fair.
    > > > AV is daemonized and performace seems to be good (but more slower
    > > > than avast/clamd).
    > > > Deb package exists for debian and it's easily to download and
    > > > test. There is not a simple command line interface like clamdscan
    > > > or scan/avast but i was able
    > > > to simulate it.
    > > >
    > > > Thx
    > > >
    > > >
    > > >
    > > > On Fri, Dec 28, 2018 at 3:10 PM Dietmar Maurer
    > > > <dietmar at proxmox.com> wrote:
    > > >  
    > > > > > As per topic, I was able to integrate the kaspersky antivirus
    > > > > > with pmg-smtp-filter.
    > > > > > I would'nt give any implementation's details here as don't
    > > > > > know if could  
    > > > > be  
    > > > > > interesting
    > > > > > for the product.
    > > > > >
    > > > > > Do you think would be useful ?  
    > > > >
    > > > > What is the pricing of that product? Do you have a link to the
    > > > > product page?
    > > > >
    > > > >  
    > > >  
    > >
    > >
    > > _______________________________________________
    > > pmg-devel mailing list
    > > pmg-devel at pve.proxmox.com
    > > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
    > >  
    > 
    > 
    
    
    _______________________________________________
    pmg-devel mailing list
    pmg-devel at pve.proxmox.com
    https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4972 bytes
Desc: not available
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20190114/775d05c7/attachment.bin>


More information about the pmg-devel mailing list