KESL Container REST-API detects nothing

[r1xnx]

Dear Forum,

I am currently looking into whether it is viable to use Kaspersky Endpoint Security for Linux (KESL) on one of our Linux servers. As I have seen that a (Docker-)containerized solution is available, I started looking into that one first. The REST-API is looking great on paper because of it is looking simple enough to be stable. But unfortunately it does not work for me

I therefore have two questions:

1. What am I doing wrong? 
2. Does the REST-API indeed not work?

Here some information what I have done so far:

I have successfully built a local container image for KESL 11.3.0.7441 based on the official downloads. Furthermore I got that running:

$ podman run --name kesl-service -it --rm -p 8085:8085 --init -e KRAS4D_PORT=8085 -e KRAS4D_LOGLEVEL='debug' -e KRAS4D_FORCEUPDATE=True -v ./kesl_env/bases:/var/opt/kaspersky/kesl/common/updates localhost/kesl-service:latest
unable to open file /root/kesl-service/config/kesl-service.config, use default configuration before apply environments
/opt/kaspersky/kesl/shared/init/updates/ --> /var/opt/kaspersky/kesl/common/updates/
startup script code: 0
startup script info:
create service dir's
update storage.conf
klnagent:
    klnagent.conf not found, klnagent disabled
kesl:
    configure kesl
    start /opt/kaspersky/kesl/bin/kesl-setup.pl --autoinstall=kesl-setup.conf
update av bases. please, wait...
update complete with code: 0

Unfortunately the REST API flags basically every file as "CLEAN"; here the output of a REST-API-Request for the EICAR-Test-File:

$ curl -H "Content-Type: application/octet-stream" --data-binary "${eicar}" "http://127.0.0.1:8085/scans?wait=1" 
{"completed":"2023-01-25T12:34:11.986569+00:00","created":"2023-01-25T12:34:10.414443+00:00","progress":100,"scan_result":{"noname":{"started":"2023-01-25T12:34:11+00:00","stopped":"2023-01-25T12:34:11+00:00","verdict":"clean"}},"status":"completed","verdicts":["clean"]}

I even used "live" Viruses, of which I knew that Kaspersky would detect. 

If I copy an EICAR-File to the running Container and scan it, it is properly detected as such:

$ podman cp eicar.com kesl-service:/tmp 
$ podman exec -it kesl-service kesl-control --scan-file /tmp/eicar.com
Scanned objects                     : 1
Total detected objects              : 1
Infected objects and other objects  : 1
Disinfected objects                 : 0
Moved to Storage                    : 1
Removed objects                     : 1
Not disinfected objects             : 0
Scan errors                         : 0
Password-protected objects          : 0
Skipped objects                     : 0
$ podman exec -it kesl-service kesl-control -B --query 
ObjectId: 1
    FileName                 : /tmp/eicar.com
    DangerLevel              : High
    DetectType               : Virware
    DetectName               : EICAR-Test-File
    CompoundObject           : No
    AddTime                  : 2023-01-25 12:38:21
    FileSize                 : 69

Looking a bit into the Podman log output and the code, I found out, that the REST-API does not use the 'kesl-control --scan-file'-Call directly. 

DEBUG:main.app:REQUEST: /SCANS GET from 10.0.2.100 force:True
DEBUG:main.scan_mgr:re-read scans database
DEBUG:main.app:scan_request content-type(application/octet-stream sync-scan(False)
DEBUG:main.db_conn:add new scan with guid a60735e2-2c60-4b3c-819b-e3ebc3511186 result: 0
DEBUG:main.control:run command(kesl-control --create-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 --type ODS, timeout=600)
DEBUG:main.control:run command(kesl-control --set-set kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 FirstAction=Skip SecondAction=Skip ScanScope.item_0000.Path=/root/kesl-service/tmp/488dd961-fb50-47ed-9b48-a0eb189813fc , timeout=600)
DEBUG:main.kesl-control:start task: <kesl-control --start-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1 -W>
DEBUG:main.control:run command(kesl-control --delete-task kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1, timeout=600)

Thus I have tried to call those logged commands manually, which did work:

$ podman exec -it kesl-service kesl-control --create-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 --type ODS
The task has been created (task ID: 103)
$ podman exec -it kesl-service kesl-control --set-set kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 FirstAction=Skip SecondAction=Skip ScanScope.item_0000.Path=/tmp/eicar.com
$ podman exec -it kesl-service kesl-control --start-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1 -W
Waiting for events from Event Manager
[...]
EventType=ThreatDetected
EventId=3950
Initiator=Product
Date=2023-01-25 13:23:27
DangerLevel=Critical
DetectName=EICAR-Test-File
DetectType=Virware
DetectCertainty=Sure
DetectSource=Local
FileName=/tmp/eicar.com
ObjectName=File
TaskId=103
RuntimeTaskId=10
TaskName=kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1
TaskType=ODS
ObjectId=1
Md5Hash=69630e4574ec6798239b091cda43dca0
Sha256Hash=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
UniqueFileId=b3910f2cb271f9a3d2af2c74aa56a31d56395510daa8b74071255ce9643d1268
AccessUser=root
AccessUserId=0
FileOwner=root
FileOwnerId=0
FileSize=69
[...]
$ podman exec -it kesl-service kesl-control --delete-task kras4d_a60735e3_2c61_4b3d_819c_e3ebc3511187_1

Looking at the event log output for the EICAR-File that has been uploaded through the REST-API, I have found that there has been a successful scan, but not detection. 

EventType=TaskStateChanged
EventId=3928
Initiator=User
UserName=root
UserId=0
Date=2023-01-25 12:34:00
DangerLevel=Informational
TaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1
SCTaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1
RuntimeTaskId=7
TaskId=100
TaskState=Started
PrevTaskState=Starting
TaskType=ODS

EventType=TaskStateChanged
EventId=3929
Initiator=Product
Date=2023-01-25 12:34:00
DangerLevel=Informational
TaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1
SCTaskName=kras4d_a60735e2_2c60_4b3c_819b_e3ebc3511186_1
RuntimeTaskId=7
TaskId=100
TaskState=Stopped
PrevTaskState=Started
TaskType=ODS

I have tinkered a little bit with the included 'application.py' so that a copy of the scanned file would be saved:

git diff kesl-service/application.py 
diff --git a/kesl-service/application.py b/kesl-service/application.py
index d1369c4..197d296 100644
--- a/kesl-service/application.py
+++ b/kesl-service/application.py
@@ -233,6 +233,7 @@ class Application(CommonErrorResponse):
             except (OSError, ValueError, Exception) as ex:
                 self.log.error(f"unable to create file from octet-stream: {str(ex)}", exc_info=True)
                 return self.make_error(self.ERR_INTERNAL_SERVER_ERROR, str(ex))
+            shutil.copy2(path, '/root/')
         elif content_type.startswith('multipart/form-data'):
             scan_session['session_info'].update({
                 'type'  : 'stream',

When I compared the saved file with the actual 'eicar.com' that was uploaded, I found, that an additional backslash must have been added somewhere:

$ diff <(podman exec -it kesl-service cat /root/1e479f8f-a825-4082-92ca-234bd3072924) <(cat eicar.com)
1c1
< X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
\ No newline at end of file
---
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

At this point, I became afraid that cURL has done something wrong while uploading; but looking into recorded TCP-Traffic, that has not been the case:

# Client
POST /scans?wait=1 HTTP/1.1
Host: 127.0.0.1:8085
User-Agent: curl/7.82.0
Accept: */*
Content-Type: application/octet-stream
Content-Length: 67

X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

# Server
HTTP/1.1 200 OK
Content-Length: 272
Content-Type: application/json
Date: Wed, 25 Jan 2023 14:02:50 GMT
Server: waitress

{"completed":"2023-01-25T14:02:51.584964+00:00","created":"2023-01-25T14:02:50.129862+00:00","progress":100,"scan_result":{"noname":{"started":"2023-01-25T14:02:51+00:00","stopped":"2023-01-25T14:02:51+00:00","verdict":"clean"}},"status":"completed","verdicts":["clean"]}

So apparently, the REST-API is not saving the files properly – at least in my case. 

Before I deep dive into the Python-Code of the REST-API I was wondering:

1. What I am possibly doing wrong?
2. Whether anyone here is using the KESL Container successfully (Version 11.3)? 
3. Is the REST-API still supported/ maintained?

Thank you very much for any useful comment on this issue.

[r1xnx]

EDIT: Probably found the issue. The backlash is not added, but truncated by Bash/ cURL.

[r1xnx]

The issue must have been cURL. I have done everything in Python Requests, which works:

>>> import requests
>>> requests.post("http://127.0.0.1:8085/scans?wait=1", headers={'content-type': 'application/octet-stream'}, data=rb"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*").json()
{'completed': '2023-01-25T15:19:55.179518+00:00', 'created': '2023-01-25T15:19:52.343156+00:00', 'progress': 100, 'scan_result': {'noname': {'started': '2023-01-25T15:19:53+00:00', 'stopped': '2023-01-25T15:19:54+00:00', 'threats': [{'name': 'EICAR-Test-File', 'object': '/root/kesl-service/tmp/21729d49-4986-4469-b017-90d2e92c34c3'}], 'verdict': 'infected'}}, 'status': 'completed', 'verdicts': ['infected']}