r1xnx

The issue must have been cURL. I have done everything in Python Requests, which works: >>> import requests >>> requests.post("http://127.0.0.1:8085/scans?wait=1", headers={'content-type': 'application/octet-stream'}, data=rb"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*").json() {'completed': '2023-01-25T15:19:55.179518+00:00', 'created': '2023-01-25T15:19:52.343156+00:00', 'progress': 100, 'scan_result': {'noname': {'started': '2023-01-25T15:19:53+00:00', 'stopped': '2023-01-25T15:19:54+00:00', 'threats': [{'name': 'EICAR-Test-File', 'object': '/root/kesl-service/tmp/21729d49-4986-4469-b017-90d2e92c34c3'}], 'verdict': 'infected'}}, 'status': 'completed', 'verdicts': ['infected']}

EDIT: Probably found the issue. The backlash is not added, but truncated by Bash/ cURL.

Dear Forum, I am currently looking into whether it is viable to use Kaspersky Endpoint Security for Linux (KESL) on one of our Linux servers. As I have seen that a (Docker-)containerized solution is available, I started looking into that one first. The REST-API is looking great on paper because of it is looking simple enough to be stable. But unfortunately it does not work for me I therefore have two questions: What am I doing wrong? Does the REST-API indeed not work? Here some information what I have done so far: I have successfully built a local container image for KESL 11.3.0.7441 based on the official downloads. Furthermore I got that running: $ podman run --name kesl-service -it --rm -p 8085:8085 --init -e KRAS4D_PORT=8085 -e KRAS4D_LOGLEVEL='debug' -e KRAS4D_FORCEUPDATE=True -v ./kesl_env/bases:/var/opt/kaspersky/kesl/common/updates localhost/kesl-service:latest unable to open file /root/kesl-service/config/kesl-service.config, use default configuration before apply environments /opt/kaspersky/kesl/shared/init/updates/ --> /var/opt/kaspersky/kesl/common/updates/ startup script code: 0 startup script info: create service dir's update storage.conf klnagent: klnagent.conf not found, klnagent disabled kesl: configure kesl start /opt/kaspersky/kesl/bin/kesl-setup.pl --autoinstall=kesl-setup.conf update av bases. please, wait... update complete with code: 0 Unfortunately the REST API flags basically every file as "CLEAN"; here the output of a REST-API-Request for the EICAR-Test-File: $ curl -H "Content-Type: application/octet-stream" --data-binary "${eicar}" "http://127.0.0.1:8085/scans?wait=1" {"completed":"2023-01-25T12:34:11.986569+00:00","created":"2023-01-25T12:34:10.414443+00:00","progress":100,"scan_result":{"noname":{"started":"2023-01-25T12:34:11+00:00","stopped":"2023-01-25T12:34:11+00:00","verdict":"clean"}},"status":"completed","verdicts":["clean"]} I even used "live" Viruses, of which I knew that Kaspersky would detect. If I copy an EICAR-File to the running Container and scan it, it is properly detected as such: $ podman cp eicar.com kesl-service:/tmp $ podman exec -it kesl-service kesl-control --scan-file /tmp/eicar.com Scanned objects : 1 Total detected objects : 1 Infected objects and other objects : 1 Disinfected objects : 0 Moved to Storage : 1 Removed objects : 1 Not disinfected objects : 0 Scan errors : 0 Password-protected objects : 0 Skipped objects : 0 $ podman exec -it kesl-service kesl-control -B --query ObjectId: 1 FileName : /tmp/eicar.com DangerLevel : High DetectType : Virware DetectName : EICAR-Test-File CompoundObject : No AddTime : 2023-01-25 12:38:21 FileSize : 69 Looking a bit into the Podman log output and the code, I found out, that the REST-API does not use the 'kesl-control --scan-file'-Call directly. DEBUG:main.app:REQUEST: /SCANS GET from 10.0.2.100 force:True DEBUG:main.scan_mgr:re-read scans database DEBUG:main.app:scan_request content-type(application/octet-stream sync-scan(False) DEBUG:main.db_conn:add new scan with guid a60735e2-2c60-4b3c-819b-e3ebc3511186 result: 0 DEBUG:main.control:run command(kesl-control --create-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 --type ODS, timeout=600) DEBUG:main.control:run command(kesl-control --set-set kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 FirstAction=Skip SecondAction=Skip ScanScope.item_0000.Path=/root/kesl-service/tmp/488dd961-fb50-47ed-9b48-a0eb189813fc , timeout=600) DEBUG:main.kesl-control:start task: <kesl-control --start-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 -W> DEBUG:main.control:run command(kesl-control --delete-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1, timeout=600) Thus I have tried to call those logged commands manually, which did work: $ podman exec -it kesl-service kesl-control --create-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 --type ODS The task has been created (task ID: 103) $ podman exec -it kesl-service kesl-control --set-set kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 FirstAction=Skip SecondAction=Skip ScanScope.item_0000.Path=/tmp/eicar.com $ podman exec -it kesl-service kesl-control --start-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 -W Waiting for events from Event Manager [...] EventType=ThreatDetected EventId=3950 Initiator=Product Date=2023-01-25 13:23:27 DangerLevel=Critical DetectName=EICAR-Test-File DetectType=Virware DetectCertainty=Sure DetectSource=Local FileName=/tmp/eicar.com ObjectName=File TaskId=103 RuntimeTaskId=10 TaskName=kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 TaskType=ODS ObjectId=1 Md5Hash=69630e4574ec6798239b091cda43dca0 Sha256Hash=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 UniqueFileId=b3910f2cb271f9a3d2af2c74aa56a31d56395510daa8b74071255ce9643d1268 AccessUser=root AccessUserId=0 FileOwner=root FileOwnerId=0 FileSize=69 [...] $ podman exec -it kesl-service kesl-control --delete-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 Looking at the event log output for the EICAR-File that has been uploaded through the REST-API, I have found that there has been a successful scan, but not detection. EventType=TaskStateChanged EventId=3928 Initiator=User UserName=root UserId=0 Date=2023-01-25 12:34:00 DangerLevel=Informational TaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 SCTaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 RuntimeTaskId=7 TaskId=100 TaskState=Started PrevTaskState=Starting TaskType=ODS EventType=TaskStateChanged EventId=3929 Initiator=Product Date=2023-01-25 12:34:00 DangerLevel=Informational TaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 SCTaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 RuntimeTaskId=7 TaskId=100 TaskState=Stopped PrevTaskState=Started TaskType=ODS I have tinkered a little bit with the included 'application.py' so that a copy of the scanned file would be saved: git diff kesl-service/application.py diff --git a/kesl-service/application.py b/kesl-service/application.py index d1369c4..197d296 100644 --- a/kesl-service/application.py +++ b/kesl-service/application.py @@ -233,6 +233,7 @@ class Application(CommonErrorResponse): except (OSError, ValueError, Exception) as ex: self.log.error(f"unable to create file from octet-stream: {str(ex)}", exc_info=True) return self.make_error(self.ERR_INTERNAL_SERVER_ERROR, str(ex)) + shutil.copy2(path, '/root/') elif content_type.startswith('multipart/form-data'): scan_session['session_info'].update({ 'type' : 'stream', When I compared the saved file with the actual 'eicar.com' that was uploaded, I found, that an additional backslash must have been added somewhere: $ diff <(podman exec -it kesl-service cat /root/1e479f8f-a825-4082-92ca-234bd3072924) <(cat eicar.com) 1c1 < X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* \ No newline at end of file --- > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* At this point, I became afraid that cURL has done something wrong while uploading; but looking into recorded TCP-Traffic, that has not been the case: # Client POST /scans?wait=1 HTTP/1.1 Host: 127.0.0.1:8085 User-Agent: curl/7.82.0 Accept: */* Content-Type: application/octet-stream Content-Length: 67 X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* # Server HTTP/1.1 200 OK Content-Length: 272 Content-Type: application/json Date: Wed, 25 Jan 2023 14:02:50 GMT Server: waitress {"completed":"2023-01-25T14:02:51.584964+00:00","created":"2023-01-25T14:02:50.129862+00:00","progress":100,"scan_result":{"noname":{"started":"2023-01-25T14:02:51+00:00","stopped":"2023-01-25T14:02:51+00:00","verdict":"clean"}},"status":"completed","verdicts":["clean"]} So apparently, the REST-API is not saving the files properly – at least in my case. Before I deep dive into the Python-Code of the REST-API I was wondering: What I am possibly doing wrong? Whether anyone here is using the KESL Container successfully (Version 11.3)? Is the REST-API still supported/ maintained? Thank you very much for any useful comment on this issue.