|
Integration with Dr.Web vxCube |
|
In this section •Basics of integration with Dr.Web vxCube Dr.Web MailD can be connected to a mail server as an external email check filter and integrated with Dr.Web vxCube, which will analyze email attachments. Dr.Web vxCube is a web service that analyzes potentially malicious files, generates detailed reports on their behavior in a selected environment and generates a tool to neutralize the detected threats. For analysis, Dr.Web vxCube uses hardware virtualization. It allows Dr.Web vxCube to work fast and be invisible to the file you analyze. Dr.Web vxCube provides advanced malware detection capabilities, which allows you to identify the latest threats that may still be absent in signature databases and can be overlooked by other methods of analysis. Basics of integration with Dr.Web vxCube When using Dr.Web vxCube, the Dr.Web MailD component sends email attachments to Dr.Web vxCube through vxCube API for analysis. Dr.Web vxCube scans every attachment and returns a verdict on the file status (clean, suspicious, or dangerous) to Dr.Web MailD in a report. Depending on the operation mode, either a Lua script uses this report to process the respective email or the report is emailed to a system administrator. To use Dr.Web vxCube for email scanning, you need a valid Dr.Web vxCube license. You can integrate Dr.Web MailD with Dr.Web vxCube in either of the two modes: SMTP or BCC. These modes to not use Milter, Spamd, and Rspamd interfaces to connect to a mail server. SMTP mode actively filters email traffic and allows you to set up rules that will be applied to emails. SMTP mode is supported by Postfix mail server. If you operate in the SMTP mode, integration with Dr.Web vxCube is optional. If you do not use Dr.Web vxCube, Dr.Web MailD will perform all checks. Operation 1.To send an email, the client connects to the MTA socket accessible from outside the local area network. 2.MTA saves the incoming message in the queue of messages awaiting check, notifies the user on the save status, and forwards the message to Dr.Web MailD for scanning. 3.To organize email messages, Dr.Web MailD saves them on disk and their metadata to an SQLite database through Dr.Web MailD component Dr.Web Mail Quarantine. 4.Dr.Web MailD checks messages using specifically configured Lua scripts. Messages can be checked either using Dr.Web MailD or Dr.Web vxCube. If the product is integrated with Dr.Web vxCube, Dr.Web MailD can forward either the entire message to Dr.Web vxCube for it to extract attachments, or extract attachments of file types specified in its configuration on its own and forward them to Dr.Web vxCube, depending on the selected processing procedure. When Dr.Web vxCube receives attachments through either method, it analyzes each file for malicious code and issues a verdict on the security status of the attachment and sends the verdict to Dr.Web MailD. 5.Dr.Web MailD uses a Lua script containing a message processing procedure (hook) to determine a suitable action (pass, reject, return error to sender, etc.) to apply to a message. If the checked message is passed, it can also be modified in the process. For example, it can receive a subject or its existing subject can be edited. If a threat was found in an attachment, such attachment will be archived. 6.Dr.Web MailD returns the message to the MTA queue. The message will be forwarded to a socket reserved for checked messages only and inaccessible from outside the local network. 7.MTA saves the message in the queue for checked emails, notifies Dr.Web MailD on the save status, and attempts to deliver the message to the recipient. If it succeeds, the message is removed from the MTA queue; if it fails, it tries again after a certain period of time. Configuring MTA See an example of an MTA Postfix configuration to connect Dr.Web MailD as an external email filter in SMTP mode in the Integration with MTA as a filter section. Configuring Dr.Web MailD To integrate Dr.Web MailD with a mail server in the SMTP mode, as well as with Dr.Web vxCube, you need to make sure that a number of parameters in the configuration file are set correctly, namely those in the section for Dr.Web MailD settings (the [MailD]section) and Dr.Web ConfigD settings (the [Root] section). All main Dr.Web MailD parameters that regulate the integration with MTA in the SMTP mode have the Smtp prefix in their name. For the product to operate in the SMTP mode without integration with Dr.Web vxCube, you need to set the following parameters in the [MailD] section: •SmtpSocket—a socket that will be used by Dr.Web MailD to receive already checked email messages from MTA. It can be a UNIX or a network socket. •SmtpSenderRelay—an MTA socket that will be used by Dr.Web MailD to forward checked email messages. It can be a UNIX or a network socket. You can also set optional parameters as required. Parameters that affect the SMTP mode have the Smtp prefix. Email processing rules of Dr.Web MailD operating in the SMTP mode are determined by the SmtpHook parameter. You can use the default script entered as its value or edit it. For details of email processing through Lua scripts, refer to Email Processing in Lua. For the product integrated with Dr.Web vxCube to operate in the SMTP mode, you also need to set the following parameters in the [Root] section: •UseVxcube=Yes—use Dr.Web vxCube for analyzing email attachments as an external filter connected to the MTA. •VxcubeApiAddress—the domain name (FQDN) or IP address of the host on which the Dr.Web vxCube API server is running. •VxcubeApiKey—the Dr.Web vxCube API key. You can also set up optional parameters as required. Parameters that affect the integration with Dr.Web vxCube have the Vxcube prefix. BCC mode allows for passive monitoring of email traffic security and does not actively protect recipients from potentially malicious files. BCC mode is supported by all MTAs that support sending blind carbon copies (BCC). This mode is specifically used for integration with Dr.Web vxCube. In this mode, email checks (as well as filtering) are performed by Dr.Web vxCube. Operation 1.To send an email, the client connects to the MTA socket accessible from outside the local area network. 2.MTA sends the original message to the recipient and creates its blind carbon copy to forward it to an internal email address, specified in the Dr.Web MailD configuration, with a unique domain. 3.The local DNS server sends a copy of the message to the IP address that corresponds to the listening Dr.Web MailD socket, not accessible from outside the LAN, according to the MX record made by system administrator. 4.To organize email messages into queues awaiting check and queues of checked emails, Dr.Web MailD saves them on disk and saves their metadata to an SQLite database through the component Dr.Web Mail Quarantine. 5.As set by the configuration, Dr.Web MailD identifies files of certain types in email attachments and forwards them to Dr.Web vxCube for analysis. 6.Dr.Web vxCube analyzes each file for malicious code and issues a verdict on the security status of the attachment and sends Dr.Web MailD a report on the analysis of each attached file. 7.Dr.Web MailD aggregates the reports on all files attached to the message into one common report. 8.If at least one of the files has the verdict ‘suspicious’ or ‘dangerous’, Dr.Web MailD forwards the aggregated report to the system administrator to email address specified in the Dr.Web MailD configuration. Configuring MTA To ensure interaction between the MTA and Dr.Web MailD in the BCC mode, you need to change the MTA configuration, so that it forwards blind carbon copies of email messages to an email address with a unique domain. After changing the settings, restart your MTA. To forward blind carbon copies to Dr.Web MailD, add on your local DNS server an MX record for the domain of the email address you have specified on the MTA. The record must specify the listening Dr.Web MailD socket (the BccSocket parameter of the [MailD] section of the common configuration file). Configuring Dr.Web MailD To integrate Dr.Web MailD with a mail server in the BCC mode, as well as with Dr.Web vxCube, you need to make sure that a number of parameters in the configuration file are set correctly, namely those in the section for Dr.Web MailD settings (the [MailD]section) and Dr.Web ConfigD settings (the [Root] section). All main Dr.Web MailD parameters that regulate the integration with MTA in the BCC mode have the Bcc prefix in their name. You need to set values for the following parameters: •In the [Root] section: ▫UseVxcube=Yes—use Dr.Web vxCube for analyzing email attachments as an external filter connected to the MTA. ▫VxcubeApiAddress—the domain name (FQDN) or IP address of the host, on which the Dr.Web vxCube API server is running. ▫VxcubeApiKey—the Dr.Web vxCube API key. •In the [MailD] section: ▫BccSocket—a socket that will be used by Dr.Web MailD to receive already checked email messages from MTA. It can be a UNIX or a network socket. ▫BccReporterAddress—an address, from which Dr.Web MailD will send reports on checked attachments. ▫BccReporterPassword—password of the email account, from which Dr.Web MailD will send reports on checked attachments. ▫BccReportRecipientAddress—an address, to which Dr.Web MailD will send reports on checked attachments. ▫BccSmtpServer—address of the MTA used to send the messages. You can specify the domain, IP address, or a UNIX socket. You can also set up optional parameters as required. Parameters that affect the BCC mode have the Bcc prefix; parameters that affect the integration with Dr.Web vxCube have the Vxcube prefix. |