|
Integration with Dr.Web vxCube |
|
In this section •Basics of Integration with Dr.Web vxCube The Dr.Web MailD component can be connected to a mail server as an external email scanning filter and integrated with the Dr.Web vxCube service for analyzing email attachments. Dr.Web vxCube is a web service that analyzes potentially malicious files and generates a detailed report on their behavior in given conditions. Dr.Web vxCube uses hardware virtualization for analysis, thereby allowing it to operate rapidly and remain invisible to a file being analyzed. Dr.Web vxCube uses advanced malware detection methods, which allows it to identify the latest threats that may still be absent in virus databases and can remain undetected by other methods of analysis. Basics of Integration with Dr.Web vxCube When using Dr.Web vxCube, the Dr.Web MailD component sends email attachments to Dr.Web vxCube for analysis using its API. Dr.Web vxCube scans every attachment and returns a verdict on the file status (clean, suspicious or dangerous) to Dr.Web MailD in a report. Depending on a scanning mode, either a Lua script uses this report to process a respective email message or the report is sent to a system administrator by email. To use Dr.Web vxCube as a scanning tool, you need a valid license for it. You can integrate Dr.Web MailD with Dr.Web vxCube in one of two modes: SMTP or BCC. These modes do not use Milter, Spamd and Rspamd interfaces to connect to a mail server. An SMTP mode actively filters email traffic and allows you to set up rules to be applied to scanned email messages. The SMTP mode is supported by the Postfix mail server. Integration with Dr.Web vxCube is optional in SMTP mode. If Dr.Web vxCube is not used, scanning is performed by Dr.Web MailD. Operating Principles 1.To send an email message, a client connects to a mail server (MTA) socket accessible externally. 2.The MTA stores an incoming message in a queue of messages to be scanned, notifies the user of the storing operation status and sends the message to the Dr.Web MailD component for scanning. 3.To organize email messages, Dr.Web MailD uses the Dr.Web Mail Quarantine service component, which stores messages on a storage device and their metadata in an SQLite database. 4.Dr.Web MailD scans messages using Lua scripts. Either Dr.Web MailD or Dr.Web vxCube can be used for scanning. If the product is integrated with Dr.Web vxCube, Dr.Web MailD can either send the entire message to Dr.Web vxCube to extract attachments, or extract attachments of the file types specified in the component configuration on its own and send them to Dr.Web vxCube, depending on the selected processing procedure. When Dr.Web vxCube receives attachments through either method, it analyzes each received file for malicious code, issues a verdict on the safety status of the attachment and sends the verdict to Dr.Web MailD. 5.Dr.Web MailD uses a Lua script containing a message processing procedure (hook) to determine an action (PASS, REJECT, TEMPFAIL and so on) to be applied to the message. In case of the PASS action, the scanned message can also undergo changes, such as adding or modifying the subject. If a threat has been detected in an attachment, such attachment will be archived. 6.Dr.Web MailD returns the message to the MTA message queue. The message is sent to the MTA socket used for receiving scanned messages; this socket should be inaccessible externally. 7.The MTA stores the received message in the queue for scanned messages, notifies Dr.Web MailD of the storing operation status and attempts to deliver the message to the recipient. If the attempt succeeds, the message is removed from the MTA queue; if it fails, a new attempt is made after a certain period of time. Configuring MTA Settings The Integration with an MTA as a filter section provides an example of configuring the Postfix MTA for connecting Dr.Web MailD as an external email filter in SMTP mode. Configuring Dr.Web MailD Settings To integrate Dr.Web MailD with a mail server in SMTP mode, as well as to integrate Dr.Web MailD with Dr.Web vxCube, you need to make sure that specific parameters are set correctly in the configuration file in the Dr.Web MailD settings section (the [MailD] section) and in the Dr.Web ConfigD settings section (the [Root] section). All basic Dr.Web MailD parameters that regulate its integration with the MTA in SMTP mode have the Smtp prefix in their name. To enable Dr.Web operation in SMTP mode without the integration with Dr.Web vxCube, set the following parameters in the [MailD] section: •SmtpSocket—socket to be used by Dr.Web MailD to receive messages being scanned from the MTA. A UNIX or network socket can be used. •SmtpSenderRelay—MTA socket to be used by Dr.Web MailD to send scanned messages. A UNIX or network socket can be used. You can also set optional parameters if necessary. Parameters related to the SMTP mode have the Smtp prefix. Email processing rules processed by the Dr.Web MailD component operating in SMTP mode are specified by the SmtpHook parameter. You can use a default value of this parameter specifying a script or modify it. For details of email processing using Lua scripts, refer to Email Processing in Lua. To enable Dr.Web operation in SMTP mode and in the integration with Dr.Web vxCube, you also need to set the following parameters in the [Root] section in addition to the aforesaid parameters: •UseVxcube=Yes—use Dr.Web vxCube to analyze email attachments as an external filter connected to the MTA; •VxcubeApiAddress—domain name (FQDN) or IP address of a host running a Dr.Web vxCube API server; •VxcubeApiKey—Dr.Web vxCube API key. You can also set optional parameters if necessary. Parameters related to the integration with Dr.Web vxCube have the Vxcube prefix. The BCC mode is intended for passive email traffic monitoring and does not actively protect recipients from potentially malicious messages. The BCC mode is supported by all MTAs that support sending blind carbon copies (BCC). This mode is specifically intended for the integration with Dr.Web vxCube. In this mode, email scanning (and thus filtering) is performed only by Dr.Web vxCube. Operating Principles 1.To send an email message, a client connects to an MTA socket accessible externally. 2.The MTA sends the original message to the recipient and creates its blind carbon copy to send it to an internal email address (with a unique domain) specified in the Dr.Web MailD configuration. 3.On the basis of an MX record made by the system administrator, the local DNS server sends a copy of the message to the IP address corresponding to the listening Dr.Web MailD socket that is not accessible externally. 4.To organize message queues, Dr.Web MailD uses the Dr.Web Mail Quarantine service component, which stores messages on a storage device and their metadata in an SQLite database. 5.On the basis of the configuration, Dr.Web MailD identifies files of certain types in email attachments and sends them to Dr.Web vxCube for analysis. 6.Dr.Web vxCube analyzes each received file for malicious code, issues a verdict on the safety status of the attachment and sends a report on the analysis of each attached file to Dr.Web MailD. 7.Dr.Web MailD aggregates reports on all attachments of a single message into a unified report. 8.If the “suspicious” or “dangerous” verdict is issued for at least one of the attached files, Dr.Web MailD sends the unified report to the system administrator to the email address specified in the Dr.Web MailD configuration. Configuring MTA Settings To enable interaction between the MTA and Dr.Web MailD in BCC mode, you need to configure the mail server to send blind carbon copies of email messages to an email address with a unique domain. Restart the MTA after changing its settings. To send blind carbon copies to Dr.Web MailD, configure an MX record on your local DNS server for the domain to which the email address specified on the MTA is related. The record must specify the listening Dr.Web MailD socket (the BccSocket parameter of the [MailD] section of the unified configuration file). Configuring Dr.Web MailD Settings To integrate Dr.Web MailD with a mail server in BCC mode, as well as to integrate Dr.Web MailD with Dr.Web vxCube, you need to make sure that specific parameters are set correctly in the configuration file in the Dr.Web MailD settings section (the [MailD] section) and in the Dr.Web ConfigD settings section (the [Root] section). All basic Dr.Web MailD parameters that control its integration with the MTA in BCC mode have the Bcc prefix in their name. Set the following parameters: •In the [Root] section: ▫UseVxcube=Yes—use Dr.Web vxCube to analyze email attachments as an external filter connected to the MTA. ▫VxcubeApiAddress—domain name (FQDN) or IP address of a host running a Dr.Web vxCube API server. ▫VxcubeApiKey—Dr.Web vxCube API key. •In the [MailD] section: ▫BccSocket—socket to be used by Dr.Web MailD to receive messages being scanned from the MTA. A UNIX or network socket can be used. ▫BccReporterAddress—address to be used to send Dr.Web MailD reports on scanned attachments. ▫BccReporterPassword—password for a mailbox to be used to send Dr.Web MailD reports on scanned attachments. ▫BccReportRecipientAddress—address to be used to receive Dr.Web MailD reports on scanned attachments. ▫BccSmtpServer—address of the MTA used to send messages. You can specify a domain, an IP address or a UNIX socket. You can also set optional parameters if necessary. Parameters related to the BCC mode have the Bcc prefix and related to the integration with Dr.Web vxCube—the Vxcube prefix. |