Wednesday, February 9, 2011

Server side virus scanning

I need to scan uploaded files for viruses on a Linux server, but I'm not sure how to go about it.

What are my options, if any? I'm also interested in how the scanners perform when multiple users send multiple files at the same time.

  • I would have a look at Clam AntiVirus. It provides a clamscan program that can scan a given file and return a pass/fail indication. It's free and automatically updates its database regularly.

    As for integrating such a product into your file upload process, that would be specific to whatever file upload process you actually use.

    kari.patila : Clamav worked great, and it was surprisingly easy to get it to play along with python.
  • If you're concerned about performance, consider using clamd/clamdscan as your implementation. clamd runs as a daemon so all the initialization costs are only done once. When you then scan a file with clamdscan it just feeds the file to a forked clamd to do the actual scanning. If you have a ton of traffic it's much more efficient.

    If you have performance concerns beyond that, you should consider using a commercial product. Most of the big players have Linux/Unix versions these days.

    kari.patila : I think that Yahoo uses Symantec for mail. Hotmail went with Trend, I guess. I'll try clamd/clamscan for now and try to get some advice from F-Secure, since the're pretty much the only Finnish company doing this sort of thing.
    From jj33
  • You should try to find an anti-virus vendor that has a public API for it's scanner. That way you can programmatically scan a file. It will make it much easier in the long run than trying to mess with other processes via your upload script.

  • Here are my results for ClamAV when tested against known viruses:

    [infected] => AdvancedXPFixerInstaller.exe

    [pass] => auto.exe

    [pass] => cartao.exe

    [infected] => cartoes_natal.exe

    [pass] => codec.exe

    [pass] => e421.exe

    [pass] => fixtool.exe

    [infected] => flash_install.exe

    [infected] => issj.exe

    [infected] => iwmdo.exe

    [infected] => jobxxc.exe

    [infected] => kbmt.exe

    [pass] => killer_cdj.exe

    [pass] => killer_javqhc.exe

    [infected] => killer_rodog.exe

    [infected] => kl.exe

    [infected] => MacromediaFlash.exe

    [infected] => MacromediaFlashPlayer.exe

    [infected] => paraense.exe

    [infected] => pibzero.exe

    [pass] => scan.exe

    [pass] => uaqxtg.exe

    [pass] => vejkcfu.exe

    [infected] => VIDeoSS.exe

    [infected] => wujowpq.exe

    [pass] => X-IrCBOT.exe

    The problem is, that none of those should have passed.

  • Have you run them through commercial scanners? I used to be an admin for a product that ran files through 4 commercial scanners in parallel. I had a test virus corpus of several hundred and none of the commercial scanners could find them all...

    kari.patila : Not yet. This test pack was recommended by a local anti-virus community, so I'd imagine they represent the latest and most common viruses. I'm aware that the detection rate is usually between 20%-80%, which isn't really all that good.
    From jj33
  • You should look into opswat's MetaScan. This tool manages the updating and multiple-engine scanning of files. It bundles with AVG, CA eTrust™. ClamWin, ESET NOD32 Antivirus Engine, MicroWorld eScan Engine, Norman Virus Control, and VirusBuster EDK. Additionally it will invoke the Nortons and such. The advantage is that you get multiple engines running against the file.

  • Clamscan will scan files once they are stored, and not prevent an infected file from being uploaded or downloaded

    I have a squid(https+cache) <-> HAVP (with clamAV) <-> Tomcat reverse proxy setup. HAVP (http://www.server-side.de/) is a way to scan http traffic though ClamAV or any other commercial antivirus software. It will prevent users to download infected files.

    Nevertheless, it does not work at upload, so it will not prevent the files to be stored on servers, but prevent the files to be downloaded and thus propagated. So use it with a regular file scanning (eg clamscan)

    From

0 comments:

Post a Comment