PMG and Alternative antivirus

K

Know_new

New Member
May 24, 2023
18
4
3
Hello there
We have commercial licensed AV (Kaspersky) for Linux servers.
Is it possible to integrate it with proxmox MG like Avast described in docs?

regards
 
Hi. Now i do it with Kaspersky Endpoint Security Linux (KESL)
On this moment i used script like that:
Bash: 
#! /bin/bash
# you need create manually dir mail_av in /var/log directory by command "mkdir /var/log/mail_av"
# you need install pwgen package for that via command "apt update && apt install pwgen"
# create unical policy name
pol=$(pwgen 10 -1 -s -0)
# create policy file
echo "FirstAction=Skip" > /var/log/mail_av/$pol.pol
echo "ScanMailBases=Yes" >> /var/log/mail_av/$pol.pol
echo "ScanPlainMail=Yes" >> /var/log/mail_av/$pol.pol
echo "UseAnalyzer=Yes" >> /var/log/mail_av/$pol.pol
echo "HeuristicLevel=Medium" >> /var/log/mail_av/$pol.pol
echo "[ScanScope.item_1]" >> /var/log/mail_av/$pol.pol
echo "Path=$2" >> /var/log/mail_av/$pol.pol
# create policy in KESL from file
/opt/kaspersky/kesl/bin/kesl-control --create-task $pol --type ODS --file /var/log/mail_av/$pol.pol >> /dev/null
# check file by KESL
vir=$(/opt/kaspersky/kesl/bin/kesl-control --start-task $pol -W|grep 'DetectName'|awk -F'=' '{print $2}'| head -1)
# remove policy from KESL
/opt/kaspersky/kesl/bin/kesl-control --delete-task $pol
# find virus name in KESL output
if [ -z $vir ]; then
rm -f /var/log/mail_av/$pol.pol
# write result to log that letter good
echo "Mail $2 was checked succesfull" >> /var/log/mail_av/checked
echo "v1"
echo "OK";
else
# write result to log that letter virused
# KESL policy don't delete
echo "In mail $2 find $vir" >> /var/log/mail_av/$pol.pol
echo "Mail $2 was blocked. More info in /var/log/mail_av/$pol.pol file" >> /var/log/mail_av/checked
echo "v1"
echo "VIRUS: $vir"
fi

exit 0

You can test it by sending mail to 'antivirustest@internet-lab.ru' with subject 'I need an Anti-Virus Test File'.
They send you EICAR e-mail, PMG must notify you with mail like:
Proxmox Notification:

Sender: antivirustest@internet-lab.ru

Receiver: mailadmin@contoso.com

Targets: mailadmin@contoso.com

Subject: Antivirus test from internet-lab.ru

Matching Rule: Block Viruses

Rule: Block Viruses

Receiver: mailadmin@contoso.com

Action: Move to quarantine.

Action: notify mailadmin@contoso.com

Virus Info: EICAR-Test-File
Click to expand...

If you use File_Threat_Protection in KESL, you must add exceptions for 3 directories:
/tmp with * mask for tmp files (files have name like .proxdump_*, exceptions for hiden files don't work, i create ticket for that in Kaspersky support)
/var/spool/pmg/active/ with mask ??????????????????? where mails check
/var/spool/pmg/virus/ with mask ??????????????????? where quarantine mails store
 
Last edited:
  • Like
Reactions: shanreich, Know_new and thinhnhd
kalachev_89 said:
Hi. Now i do it with Kaspersky Endpoint Security Linux (KESL)
On this moment i used script like that:
Bash: 
#! /bin/bash
# you need create manually dir mail_av in /var/log directory by command "mkdir /var/log/mail_av"
# you need install pwgen package for that via command "apt update && apt install pwgen"
# create unical policy name
pol=$(pwgen 10 -1 -s -0)
# create policy file
echo "FirstAction=Skip" > /var/log/mail_av/$pol.pol
echo "ScanMailBases=Yes" >> /var/log/mail_av/$pol.pol
echo "ScanPlainMail=Yes" >> /var/log/mail_av/$pol.pol
echo "UseAnalyzer=Yes" >> /var/log/mail_av/$pol.pol
echo "HeuristicLevel=Medium" >> /var/log/mail_av/$pol.pol
echo "[ScanScope.item_1]" >> /var/log/mail_av/$pol.pol
echo "Path=$2" >> /var/log/mail_av/$pol.pol
# create policy in KESL from file
/opt/kaspersky/kesl/bin/kesl-control --create-task $pol --type ODS --file /var/log/mail_av/$pol.pol >> /dev/null
# check file by KESL
vir=$(/opt/kaspersky/kesl/bin/kesl-control --start-task $pol -W|grep 'DetectName'|awk -F'=' '{print $2}'| head -1)
# remove policy from KESL
/opt/kaspersky/kesl/bin/kesl-control --delete-task $pol
# find virus name in KESL output
if [ -z $vir ]; then
rm -f /var/log/mail_av/$pol.pol
# write result to log that letter good
echo "Mail $2 was checked succesfull" >> /var/log/mail_av/checked
echo "v1"
echo "OK";
else
# write result to log that letter virused
# KESL policy don't delete
echo "In mail $2 find $vir" >> /var/log/mail_av/$pol.pol
echo "Mail $2 was blocked. More info in /var/log/mail_av/$pol.pol file" >> /var/log/mail_av/checked
echo "v1"
echo "VIRUS: $vir"
fi

exit 0

You can test it by sending mail to 'antivirustest@internet-lab.ru' with subject 'I need an Anti-Virus Test File'.
They send you EICAR e-mail, PMG must notify you with mail like:


If you use File_Threat_Protection in KESL, you must add exceptions for 3 directories:
/tmp with * mask for tmp files (files have name like .proxdump_*, exceptions for hiden files don't work, i create ticket for that in Kaspersky support)
/var/spool/pmg/active/ with mask ??????????????????? where mails check
/var/spool/pmg/virus/ with mask ??????????????????? where quarantine mails store
Click to expand...
Thank you! Will try.

Is it needed ClamAV to be removed from system?
 
Last edited:
Is there any one try to use Symantec? My company use SEP and it has linux agent.
 
kalachev_89 said:
No.
You can disable it via /etc/pmg/pmg.conf
In section admin add 2 lines
section: admin
clamav 0 --disable clamav
custom_check 1 --enable KESL
Click to expand...
Thank you

Finally if I understood correctly (top level steps)
Install kesl on proxmox MG
Create kesl.sh in /usr/local/bin/pmg-custom-check dir (or difine custom path via custom_check_path enviroment)
Correct pmg.conf as you described above
Restart pmg-smtp-filter
Enjoy :)
Is that correct steps?
 
Know_new said:
Thank you

Finally if I understood correctly (top level steps)
Install kesl on proxmox MG
Create kesl.sh in /usr/local/bin/pmg-custom-check dir (or difine custom path via custom_check_path enviroment)
Correct pmg.conf as you described above
Restart pmg-smtp-filter
Enjoy :)
Is that correct steps?
Click to expand...
/usr/local/bin/pmg-custom-check - not folder, this file with script
And yes, after that steps KESL must start check every e-mail.
If you use KSC and install its agent on host, in KSC you will can see many events

1691971562601.png
 
  • Like
Reactions: Know_new
hoanv9 said:
Is there any one try to use Symantec? My company use SEP and it has linux agent.
Click to expand...
I think you must do same steps, but change KESL commands to symantec specific.
In this manual symantec has key manualscan -s|--scan for starting manual scan.
Try to check manually Eicar msg with this key, see output and find filter for output only virus name.
 
kalachev_89 said:
/usr/local/bin/pmg-custom-check - not folder, this file with script
And yes, after that steps KESL must start check every e-mail.
If you use KSC and install its agent on host, in KSC you will can see many events
Click to expand...
Thank you very much.

Works like a charm.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back