Skip to content
This repository has been archived by the owner on Jun 20, 2023. It is now read-only.

Unofficial antivirus definitions using Fangfrisch #212

Open
wants to merge 50 commits into
base: master
Choose a base branch
from
Open

Unofficial antivirus definitions using Fangfrisch #212

wants to merge 50 commits into from

Conversation

gchamon
Copy link
Contributor

@gchamon gchamon commented Mar 2, 2023
edited
Loading

This PR merges clamd usage from #112 which also enables scanning configuration (which is missing from clamscan, but present in clamdscan). It also uses #202 (comment) as inspiration to fix missing libprce.so issues.

Related issue: #18

The original logic for downloading database definitions is kept intact. There is a new step added to download all extra database definitions regardless of database prefix (rfxn.hdb and rfxn.yara are actually two different databases, for instance).

The upload logic is refactored but is largely the same.

The Dockerfile is refactored to include fewer layers (which reduced build time by half).

Fangfrisch (https://github.com/rseichter/fangfrisch) is installed as CLI from a stage image using the official aws lambda docker. This prevents having to rewrite shebang of the fangfrisch executable which inherits the location of the python interpreter from the build environment (/usr/bin/python3, which in amazonlinux 2 is 3.7, whereas in aws lambda runtime environment is actually 3.6 which breaks sqlalchemy).

The configuration for fangfrisch and clamdscan was taken from this blog post: https://blog.frehi.be/2021/01/25/using-fangfrisch-to-improve-malware-e-mail-detection-with-clamav/

The fangfrisch configuration is static, as it would require a flexible inventory of the database definition files, which would in turn require more extensive work in the upload/download logic. The only option that is exposed is to either use the extra unofficial definitions or not through the environment variable AV_EXTRA_VIRUS_DEFINITIONS.

@gchamon
Update Dockerfile
8e394f9
@gchamon
fix dockerfile missing so
9c16448 
from bluesentry#202 (comment)
@gchamon
Merge pull request #1 from waycarbon/fix/dockerfile-missing-so
94609bf 
fix dockerfile missing so
@gchamon
implement fangfrisch usage
d45cbb7 
- add extra config variables to control fangfrisch usage
- refactor use of str_to_bool to avoid repetition
- running aws sync as subprocess
- running fangfrisch as subprocess
@gchamon
update dockerfile and update to reference correct fangfrisch bin
3a898f2
@gchamon
installing awscliv2 and add correct pythonpath for fangfrisch
fce2f29
@gchamon
revert change to /opt/app
abbeee1
@gchamon
add aws-cli to final lambda
efc71b6
@gchamon
add lib64 python packages
e21edc6
@gchamon
centralizing pip installation with --target argument
ea1bc0c
@gchamon
removing cp statement made unecessary with --target argument for pip
ed91b06
@gchamon
downgrade awscli to v1
5df78a7 
uncompressed lambda zip was hitting size limit, maybe downgrading will
shrink size
@gchamon
return with copying python3.7 site-packages for extra missing deps
ca235e4
@gchamon
update urllib3
3e9b2e3
@gchamon
remove python3.7 site packages, as it doesn't really exist
cf30411
@gchamon
run aws from bin folder
43baf43
@gchamon
add pythonpath to awscli invocation
f59ec40
@gchamon
separate fangfrisch requirements.txt; optimized docker build image
cb5f840
@gchamon
sed in-place the shebang for correct python interpreter for lambdas
02fef58
@gchamon
fangfrisch.conf absolute path
52d4137
@gchamon
add missing fangfrisch.conf file
af499af
@gchamon
check shell return; sync without progress
0180c60
@gchamon
use update_defs_from_s3 to download extra definitions
b253208
@gchamon
ditch awscli for custom down/upload functions
1ec5169
@gchamon
use sed to reflect AV_DEFINITION_PATH in fangfrisch.conf
af87467
@gchamon
revert changes to md5 from s3 tags function
d1c3ac8
@gchamon
changing fangfrisch.conf in /tmp folder
89d6c80
@gchamon
add hardened database with false-positives avoiding configs
177d3dc
@gchamon
minor fix for logging download definition
1ac4456
@gchamon
merging clamdscan for scan.conf support and lower scan timers
ffa3c6b 
must still verify if extra virus definitions get pulled form S3
from bluesentry#112
@gchamon
fix sqlite db persistence for fangfrisch
6c1d36d
@gchamon
optimize build times
97037a0
@gchamon
optimize dockerfile
64fbd46
@gchamon
fix libpcre.so not being added to zip
7962ef5
@gchamon
compress missing files into a single log line
310d112
@gchamon
fix orphan config in freshclam.conf
6fc216a
@gchamon
fix config in freshclam.conf; separate freshclam and scan conf runs
22d0b4e
@gchamon
logging freshclam output as a list of strings
bd196a9
@gchamon
compressing not downloading and md5 matches into single line
e6102f9
@gchamon
fix freshclam output split
d4ebd2d
@gchamon
download freshclam defs before running fangfrisch
0e95de6
@gchamon
breaking updater if freshclam panics
bb8fe9f
@gchamon
downloading ALL extra files definitions, even if same prefix
d0209e0
@gchamon
only print older files and md5 matches if they exist
02cc4fa
@gchamon
fix infection deletion log
2ba7b19
@gchamon
using aws lambda stage image for fangfrisch to avoid shebang rewrite
5ac7593
@gchamon
uploading all extra definition files
2b76b8c 
- refactored upload function to extract core upload logic
- using all filenames to upload to s3
- refactored core upload logic to throw errors when no such file or md5
  matches happen
@gchamon
refactored upload defs to merge all files into single list
111af04
@gchamon
fix typo
c6eb891
@CLAassistant
Copy link

CLAassistant commented Mar 2, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@gchamon gchamon mentioned this pull request Mar 2, 2023
Merged
gchamon
gchamon commented Mar 2, 2023
View reviewed changes
Dockerfile
/tmp/usr/sbin/clamd \
/tmp/usr/bin/freshclam \
/tmp/usr/lib64/* \
/usr/lib64/libpcre.so* \
Copy link
Contributor Author

@gchamon gchamon Mar 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must copy all libpcre.so variants using wildcard, because libpcre.so.1 is a symbolic link sometimes

gchamon
gchamon commented Mar 2, 2023
View reviewed changes
clamav.py
Comment on lines +100 to +105
if older_files:
print("Not downloading the following older files in series:")
print(json.dumps(list(older_files)))
if md5_matches:
print("Not downloading the following files because local md5 matches s3:")
print(json.dumps(list(md5_matches)))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is to avoid extremely long logs in cloudwatch, which makes is harder to debug issues

gchamon
gchamon commented Mar 2, 2023
View reviewed changes
update.py
Comment on lines +47 to +48
if clamav.update_defs_from_freshclam(AV_DEFINITION_PATH, CLAMAVLIB_PATH) != 0:
return 1
Copy link
Contributor Author

@gchamon gchamon Mar 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we must know that freshclam broke, otherwise the lambda would return a success status while the virus definitions in the s3 bucket would stay outdated

@waycarbon-buildserver waycarbon-buildserver deleted the feature/fangfrisch-extra-defs branch May 3, 2023 19:49
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gchamon @CLAassistant