Return reason for classification as "bad" #94
Description
It would be cool if Peekaboo could return the evil sig that was triggered and is the reason why the file is classified as bad.
Like ClamAV and other engines are returning something like "VBS/TrojanDownloader.Agent.PDK", Peekaboo could return for example "Installs itself for autorun at Windows startup" or something like that to amavis
That information could be included in admin and recipient notifications
Expected Behavior
Returns the reason why it was classified as bad
Current Behavior
Does not return something to amavis that indicates the decision
Context (Environment)
Every time amavis founds malicious content it sends an email to our IT department and to the recipient. Sometimes it is not directly clear if it's maybe a false positive, for example, if the forged sender is @dhl.com and the recipient is in that moment awaiting a message from DHL.
Also, we had an incident last week where a customer (with no peekaboo or other) forwarded us a suspicious application email as they are currently searching for a new staff member. This forwarded email was blocked with peekaboo on our side but the requested IT colleague was not near to 100% sure if it is maybe a false positive since he is not directly familiar with cuckoo to check what the cuckoo analysis said.
I think in both cases, it would give the notifications to recipient and admin a more meaningful tone if there could be the reason placed why it actually blocked the email.
Possible Implementation
I would say the easiest way would be to return the evil sig to amavis.
Maybe it would also be possible to categories it into things like spyware if e.g. a keylogger is detected, ransomeware when it deletes or encrypts files, etc. I think the second is maybe interesting for the not near future as this is a more complicated task and other features have a higher priority.