Skip to content

Latest commit

 

History

History
61 lines (58 loc) · 2.93 KB

README.md

File metadata and controls

61 lines (58 loc) · 2.93 KB
Raw

malunpacker

ICAP service which unpacks password-protected attachments (.iso, .rar, .7z, .zip etc.) of various file types and scans them using YARA. Can be seamlessly integrated into rspamd.

Born out of the frustration that Rspamd/ClamAV cannot unpack password-protected mail attachments containing malware.

Docker docker build

Capabilities

  • tries to unpack password protected attachments using the mail body as a knowledge base for passwords
  • can also use a LLM to extract the password from the mail body
  • unpacks
    mime type password protection
    application/vnd.rar yes
    application/x-7z-compressed yes
    application/x-bzip yes
    application/x-bzip2 yes
    application/x-tar yes
    application/x-iso9660-image yes
    application/x-rar yes
    application/x-rar-compressed yes
    application/zip yes
  • scans each dropped sample and attachment using the provided YARA rules; independent of the file type

Installation (Docker)

  1. use the provided docker-compose.yml and spawn the container
  2. got into the etc docker-volume of the container, create a rules directory and put your .yar rule files into it
    (Note: a good start for rules may be https://yarahq.github.io/)
  3. restart the container and check that it's running
  4. Rspamd integration
    • go to your Rspamd configuration files and add the following to your external_services.conf 
       malunpacker {
   servers = "172.22.1.1:10055";
   # needs to be set explicitly for Rspamd < 1.9.5
   scan_mime_parts = false;
   type = "icap";
   scheme = "respmod";
   x_client_header = true;
   # mime-part regex matching in content-type or filename
   # block all macros
   max_size = 3145728;
   timeout = 60.0;
   retransmits = 1;
   x_client_header = true; # Add X-Client-IP: $IP header
   x_rcpt_header = true; # Add X-Rcpt-To: $SMTP_RCPT header
   x_from_header = true; # Add X-Mail-From: $SMTP_FROM header
 }
    • adapt your VIRUS_FOUND symbol in your composites.conf and add the MALUNPACKER symbol to it's expression f.e.: 
      VIRUS_FOUND {
  expression = "( CLAM_VIRUS | MALUNPACKER ) & !WHITELIST";
  score = 2000.0;
}
  5. That's it! You can now test malunpacker by sending some archive containeing malware or some ISO.

LLM for credential extraction

You may also enable the use of a LLM for credential extraction by specifing the environment variable USE_ML_FOR_CREDS_EXTRACTION=true in your docker-compose file.

The service uses rust-bert for the ML part.