search

scVENUS / PeekabooAV

Peekaboo Extended Email Attachment Behavior Observation Owl
https://peekabooav.de
GNU General Public License v3.0
66 stars 20 forks source link

Return reason for classification as "bad" #94

Open Clevero opened 4 years ago

Clevero commented 4 years ago

It would be cool if Peekaboo could return the evil sig that was triggered and is the reason why the file is classified as bad. Like ClamAV and other engines are returning something like "VBS/TrojanDownloader.Agent.PDK", Peekaboo could return for example "Installs itself for autorun at Windows startup" or something like that to amavis

That information could be included in admin and recipient notifications

Expected Behavior

Returns the reason why it was classified as bad

Current Behavior

Does not return something to amavis that indicates the decision

Context (Environment)

Every time amavis founds malicious content it sends an email to our IT department and to the recipient. Sometimes it is not directly clear if it's maybe a false positive, for example, if the forged sender is @dhl.com and the recipient is in that moment awaiting a message from DHL. Also, we had an incident last week where a customer (with no peekaboo or other) forwarded us a suspicious application email as they are currently searching for a new staff member. This forwarded email was blocked with peekaboo on our side but the requested IT colleague was not near to 100% sure if it is maybe a false positive since he is not directly familiar with cuckoo to check what the cuckoo analysis said.

I think in both cases, it would give the notifications to recipient and admin a more meaningful tone if there could be the reason placed why it actually blocked the email.

Possible Implementation

I would say the easiest way would be to return the evil sig to amavis.

Maybe it would also be possible to categories it into things like spyware if e.g. a keylogger is detected, ransomeware when it deletes or encrypts files, etc. I think the second is maybe interesting for the not near future as this is a more complicated task and other features have a higher priority.

Jack28 commented 4 years ago

I am not sure where you are looking for the reason. We report our findings back to amavis. The entire output should be part of the virusmail. (Same file as below, line 315. RuleResult is later used to create our report)

Except for one case we deliberately don't give any details - if Cuckoo analysis fails, this is to not give any hints to a potential attacker: https://github.com/scVENUS/PeekabooAV/blob/bf5f7a7c906f13cb3fdf22a17d182cac8d03fe17/peekaboo/ruleset/rules.py#L247

Clevero commented 4 years ago

Ah I think I see what you mean.

You mean the report like this?

   Hello, this is Peekaboo.

   Files are being analyzed...
   Files are being analyzed...
   File "p001" a56a80f76e0b03e5016e65e6f3739c47584e6fb51fe58cd12ff157797b71f642 is being analyzed
   File "p001": Result "unknown" of rule known - File is not yet known to the system, analysis continues: Yes.
   File "p001": Result "unknown" of rule file_larger_than - File has more than 5 bytes, analysis continues: Yes.
   File "p001": Result "ignored" of rule file_type_on_whitelist - File type is on whitelist, analysis continues: No.
   File "p001" is considered "ignored"

   File "p006" 0d149c4af3635f129a755edbb2beff2b0e792357ed170b165fa9c42bdbdcbe3d is being analyzed
   File "p006": Result "unknown" of rule known - File is not yet known to the system, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_larger_than - File has more than 5 bytes, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_type_on_whitelist - File type is not on whitelist, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_type_on_greylist - File type is on the list of types to analyze, analysis continues: Yes.
   File "p006": Result "unknown" of rule known - File is not yet known to the system, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_larger_than - File has more than 5 bytes, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_type_on_whitelist - File type is not on whitelist, analysis continues: Yes.
   File "p006": Result "unknown" of rule file_type_on_greylist - File type is on the list of types to analyze, analysis continues: Yes.
   File "p006": Result "bad" of rule cuckoo_evil_sig - The following signatures have been recognized: Steals private information from local Internet browsers
   , analysis continues: No.
   File "p006" is considered "bad"

   File "p002" 6bc2523b32ef8a48f421b2221d549d93c27debfcb15b23860986d3840d2c4647 is being analyzed
   File "p002": Result "unknown" of rule known - File is not yet known to the system, analysis continues: Yes.
   File "p002": Result "unknown" of rule file_larger_than - File has more than 5 bytes, analysis continues: Yes.
   File "p002": Result "ignored" of rule file_type_on_whitelist - File type is on whitelist, analysis continues: No.
   File "p002" is considered "ignored"

   The file collection has been categorized "bad"

I'm looking for an output like The following signatures have been recognized: Steals private information from local Internet browsers. So really just the signature for example. In my use case, the full report would be too confusing for people that are not familiar with the system.

Or did I oversaw a placeholder in the amavis template for this type of info?

Jack28 commented 4 years ago

Any suggestions on how to implement this? I'm not sure I understand what you want to achieve

Jack28 commented 4 years ago

You would prefer not not see the results of rules that didn't classify?

More like this?

   Hello, this is Peekaboo.

   Files are being analyzed...
   Files are being analyzed...
   File "p001" a56a80f76e0b03e5016e65e6f3739c47584e6fb51fe58cd12ff157797b71f642 is being analyzed
   File "p001": Result "ignored" of rule file_type_on_whitelist - File type is on whitelist, analysis continues: No.
   File "p001" is considered "ignored"

   File "p006" 0d149c4af3635f129a755edbb2beff2b0e792357ed170b165fa9c42bdbdcbe3d is being analyzed
   File "p006": Result "bad" of rule cuckoo_evil_sig - The following signatures have been recognized: Steals private information from local Internet browsers, analysis continues: No.
   File "p006" is considered "bad"

   File "p002" 6bc2523b32ef8a48f421b2221d549d93c27debfcb15b23860986d3840d2c4647 is being analyzed
   File "p002": Result "ignored" of rule file_type_on_whitelist - File type is on whitelist, analysis continues: No.
   File "p002" is considered "ignored"

   The file collection has been categorized "bad"
Clevero commented 4 years ago

I think that would be a little enhancement. But I don't thought about that

I should be more clear at the beginning, I admit. Hope this is now unserstandable:

According to the amavis documentation for customizing the notification messages, in the notification templates there is %V which returns V a list of virus names found; contains at least one entry (possibly an empty string) if a virus was found, otherwise a null list

whereas %v returns v output of the (last) virus checking program. %v is currently the full output of peekaboo

But %V seems to be empty ClamAV returns something like Porcupine.Phishing.46535.UNOFFICIAL Peekaboo could return something like The following signatures have been recognized: Steals private information from local Internet browsers

In my case I don't have a problem that %v is the full output but it would be handy if %V returns the triggered signature

Thank you for your effort!

https://www.ijs.si/software/amavisd/README.customize.txt