Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/daschr/malunpacker
ICAP service which unpacks password-protected attachments (.iso, .rar, .7z, .zip etc.) of various file types and scans them using YARA. Can be seamlessly integrated into rspamd.
https://github.com/daschr/malunpacker
antivirus docker icap icap-server mail malware malware-analysis malware-detection rspamd scanning yara
Last synced: 7 days ago
JSON representation
ICAP service which unpacks password-protected attachments (.iso, .rar, .7z, .zip etc.) of various file types and scans them using YARA. Can be seamlessly integrated into rspamd.
- Host: GitHub
- URL: https://github.com/daschr/malunpacker
- Owner: daschr
- License: mit
- Created: 2024-04-11T07:20:45.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-01-13T13:14:11.000Z (28 days ago)
- Last Synced: 2025-01-13T14:24:59.429Z (28 days ago)
- Topics: antivirus, docker, icap, icap-server, mail, malware, malware-analysis, malware-detection, rspamd, scanning, yara
- Language: Rust
- Homepage:
- Size: 4.14 MB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
malunpacker
ICAP service which unpacks password-protected attachments (.iso, .rar, .7z, .zip etc.) of various file types and scans them using YARA. Can be seamlessly integrated into rspamd.
Born out of the frustration that Rspamd/ClamAV cannot unpack password-protected mail attachments containing malware.
[](https://hub.docker.com/r/daschr/malunpacker) 
## Capabilities
- tries to unpack password protected attachments using the mail body as a knowledge base for passwords
- can also use a LLM to extract the password from the mail body
- unpacks
|mime type|password protection|
|---|---|
|application/vnd.rar|yes|
|application/x-7z-compressed|yes|
|application/x-bzip|yes|
|application/x-bzip2|yes|
|application/x-tar|yes|
|application/x-iso9660-image|yes|
|application/x-rar|yes|
|application/x-rar-compressed|yes|
|application/zip|yes|
- scans each dropped sample and attachment using the provided YARA rules; independent of the file type
## Installation (Docker)
1. use the provided [docker-compose.yml](https://github.com/daschr/malunpacker/blob/main/docker-compose.yml) and spawn the container
2. got into the `etc` docker-volume of the container, create a `rules` directory and put your `.yar` rule files into it
(Note: a good start for rules may be https://yarahq.github.io/)
3. restart the container and check that it's running
4. Rspamd integration
* go to your Rspamd configuration files and add the following to your `external_services.conf`
```
malunpacker {
servers = "172.22.1.1:10055";
# needs to be set explicitly for Rspamd < 1.9.5
scan_mime_parts = false;
type = "icap";
scheme = "respmod";
x_client_header = true;
# mime-part regex matching in content-type or filename
# block all macros
max_size = 3145728;
timeout = 60.0;
retransmits = 1;
x_client_header = true; # Add X-Client-IP: $IP header
x_rcpt_header = true; # Add X-Rcpt-To: $SMTP_RCPT header
x_from_header = true; # Add X-Mail-From: $SMTP_FROM header
}
```
* adapt your `VIRUS_FOUND` symbol in your `composites.conf` and add the `MALUNPACKER` symbol to it's expression f.e.:
```
VIRUS_FOUND {
expression = "( CLAM_VIRUS | MALUNPACKER ) & !WHITELIST";
score = 2000.0;
}
```
5. That's it! You can now test malunpacker by sending some archive containeing malware or some ISO.
## LLM for credential extraction
You may also enable the use of a LLM for credential extraction by specifing the environment variable `USE_ML_FOR_CREDS_EXTRACTION=true` in your docker-compose file.
The service uses [rust-bert](https://github.com/guillaume-be/rust-bert) for the ML part.