bypass ClamAV check for a specific sender

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
st3
Posts: 26
Joined: Mon Aug 05, 2019 8:17 am

bypass ClamAV check for a specific sender

Postby st3 » Mon Feb 10, 2020 1:38 pm

Hi.
I'm using Zimbra Open Source edition 8.8.15 for about 3 months now. I noticed that some senders send us encrypted .zim or .pdf files that are automatically blocked by ClamAV with message: Heuristics.Encrypted.PDF FOUND.
I need to bypass this check for some senders. I tried to do this by following Zimbra wiki, but no success so far: https://wiki.zimbra.com/wiki/Improving_Anti-spam_system
Disabling "block encrypted archives" is not an option for me. Reading older forum posts hasn't been helpful also.

Has anyone managed to bypass ClamAV check for a specific sender?


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 520
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: bypass ClamAV check for a specific sender

Postby JDunphy » Mon Feb 10, 2020 3:15 pm

viewtopic.php?f=15&t=64117#p295675

Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.

HTH,

Jim
st3
Posts: 26
Joined: Mon Aug 05, 2019 8:17 am

Re: bypass ClamAV check for a specific sender

Postby st3 » Tue Feb 11, 2020 7:20 am

It seams to me like your solution allows all encrypted PDF's. Is there a way to completely bypass the filters for a certain sender?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 520
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: bypass ClamAV check for a specific sender

Postby JDunphy » Tue Feb 11, 2020 3:37 pm

st3 wrote:
JDunphy wrote:https://forums.zimbra.org/viewtopic.php?f=15&t=64117#p295675
Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.

It seams to me like your solution allows all encrypted PDF's. Is there a way to completely bypass the filters for a certain sender?

As written the rule J_ENCR_PDF allows all encrypted PDF's to run through your spam scoring engine which may or may not be scored to spam or discard. To give it a better chance of getting to the inbox, you would want to give it some negative points and perhaps lock it to a few trusted sources ... Being a little more specific to what I wrote above and provide a more specific solution.

Code: Select all

Requires: /opt/zimbra/common/sbin/amavisd this entry in @virus_name_to_spam_score_maps
#       [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
header J_ENCR_PDF  X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF  0.1
describe J_ENCR_PDF Allow encrypted pdf's through

header __TRUSTED_SENDER From =~ /someuser\@example\.com|anotheruser\@example\.net/i
meta st3_ENCRYPTED_PDF_SENDER ( __TRUSTED_SENDER && J_ENCR_PDF)
score st3_ENCRYPTED_PDF_SENDER -7
describe st3_ENCRYPTED_PDF_SENDER Allow some users to send encrypted pdfs

Note: you can use any header with the rules above and 'Return-Path' is the "envelope from" (ie. mail from:<user@example.com> in the SMTP protocol). If your sender also digitally signs, you could 'and' in both the return-path and DKIM_VALID_AU to the above meta rule to make it near impossible to be spoofed so only your trusted sender is allowed to send incoming encrypted pdf's. You could further lock it to destination users or accounts. For example, only allow a certain alias to receive them or to only recipients from some sender domains, etc.

Now the difficult question... Do you believe encrypted pdf's are harmful. If you do then that J_ENCR_PDF rule would open that pathway for the entire system and all the users as you noted.

To mitigate some of that If you don't want to allow encrypted pdf's to land in the other users inbox or spam folders, you could add this layer.

Code: Select all

meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs

If you want to send it to the users junk folder, change the score from 15 to 5. Increase these numbers to account for any other negative scoring you have builtin with other existing rules or if your thresholds are higher for discard/junk.
You could also score that initial J_ENCR_PDF rule much higher than 0.1 and then compensate with a higher negative score for your trusted sender in the examples given here.

HTH,

Jim

If you haven't written a Spamassassin (SA) rule before, the wiki article below may help and has other starting links to help write SA rules for the Spamassassin project. Writing rules is pretty simple once you see a few and get the general concept of what is going on.

Ref: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
st3
Posts: 26
Joined: Mon Aug 05, 2019 8:17 am

Re: bypass ClamAV check for a specific sender

Postby st3 » Fri Feb 14, 2020 10:08 am

Still haven't figured it out:

Her is my config
/opt/zimbra/data/spamassassin/localrules/sauser.cf

Code: Select all

Requires: /opt/zimbra/common/sbin/amavisd this entry in @virus_name_to_spam_score_maps
#       [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
header J_ENCR_PDF  X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF  0.1
describe J_ENCR_PDF Allow encrypted pdf's through

header __TRUSTED_SENDER From =~ /username\@mail\.domain\.com/i
meta st3_ENCRYPTED_PDF_SENDER ( __TRUSTED_SENDER && J_ENCR_PDF)
score st3_ENCRYPTED_PDF_SENDER -7
describe st3_ENCRYPTED_PDF_SENDER Allow some users to send encrypted pdfs

meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs


Ant my /opt/zimbra/common/sbin/amavisd:

Code: Select all

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],


With this configuration I can send encrypted PDF's from any mail sender. But I need to allow incoming encrypted pdf's only from info@externaldomain.com
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 520
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: bypass ClamAV check for a specific sender

Postby JDunphy » Fri Feb 14, 2020 2:25 pm

Without seeing these 2 headers... From and Return-Path, this is a guess. Also you don't say if the encrypted pdf was still virus scanned or didn't show up nor if you restarted amavis. I do see one obvious problem when desk checking your rules.

You are scoring -7 points to your trusted sender (provided the From header matched) and then scored them 15 points because it was an encrypted PDF's. Probably not what you had intended as that could either score it to junk or with other rules to discard.

Code: Select all

meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs


You want something like this:

Code: Select all

meta st3_SCORE_ENCR_PDF (J_ENCR_PDF && !st3_ENCRYPTED_PDF_SENDER)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs


Restart amavis to see new rules change.

Code: Select all

# su - zimbra
% zmamavisdctl restart

Hint: Run spamassassin in debug mode to test your rules and it saves you from having to restart amavis until you have your rules/logic working correctly. If you run spamassassin in debug mode, you could see if st3_ENCRYPTED_PDF_SENDER matched. Simple to do... save email into text file and then use -D option and look at the output of the rules that matched. Wiki link shows how to run spamassassin in debug mode. If you don't have an email to use for testing... amavis will put its input files here: /opt/zimbra/data/amavisd/tmp/ when it breaks up all the attachments into separate files for clamav scanning. Each directory represents an email with the original and any attachments under parts. The other way is get the original email to test against is to pull it from clamav if it has quarantine it. I have a script that gives that quarantined location/pathname provided you give it the internal reference code.
st3
Posts: 26
Joined: Mon Aug 05, 2019 8:17 am

Re: bypass ClamAV check for a specific sender

Postby st3 » Mon Feb 17, 2020 8:34 am

It looks like it is still virus checked by Clamav.
In Spamassassin debug mode I'm getting a score of 1.107

Code: Select all

Feb 17 10:19:49.525 [29521] dbg: check: is spam? score=1.107 required=5
. As I understand than in passes the check. Is it correct?

If I add

Code: Select all

    [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
to /opt/zimbra/common/sbin/amavisd, than Encrypted PDF's work for all users. If I remove it Clamd.log says :

Code: Select all

/opt/zimbra/data/amavisd/tmp/amavis-20200217T101624-26495-IM14NOIj/parts/p002: Heuristics.Encrypted.PDF FOUND


Other rules writen in sauser.cf work, but they are simple rules that block a sender by its From address.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 15 guests