Amavis and Palo Alto Networks Wildfire Sandbox

[Grooz, Marc (regio iT)]

Hi ,

I write my own Script to add Support to Palo Alto Wildfire Sandbox Function to Amavis as a Virus Scanner.

Currently it's a bash script that do the following:


-          First compute a sha256 Hash and determine the mimetype over the files presented by amavis

-          Checks if the mimetype is supported by Wildfire to go on

-          Checks if the hash is present in the local redis storage and uses the verdict (benign|malware)

-          If the hash isn't present in redis storge it ask the wildfire cloud for a verdict.

-          Depending on the answer from the wildfire cloud -> if it's known the verdict gets written in the redis storage and used or if it's unknown the file gets uploaded to the Cloud for inspection.

You need a Wildfire Subscription to get use of these sandbox system.

The Script tells amavis if a supported file is malicious or not with the corresponding exit codes.

The drawback of unknown malicious files is that they pass the first check and only further mails get blocked.

It would be nice if the script cloud tell amavis to do a smtp 450 in a case were a unknown file is uploaded. For example by having a third exit code.

Is there already such a function?

If anybody is interested in that script give me a message.

Regards Marc
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180104/d9e9ba67/attachment.html>