2

How can I scan an incoming file upload (or a datastream) into a webserver and database for virus/malware?

I know how (using the excellent Clam) to scan things after they have been uploaded, but I would like to do the scanning before I upload them into the server. I know scanning before uploading is possible because I have seen it on some websites: they do a virus-scan before uploading the file. How is this done?

My current (probably naive) line of thought is to actually upload the files into the server, store them in a special location where only one specific/special user has access, then do the scanning. Finally, move the scanned files into the database. Is there a better way?

ahron
  • 365
  • 3
  • 14
  • 2
    are you sure those websites don't upload to a `/tmp` folder, prompt a nice box via javascript, and show you they are scanning the file – gwillie Aug 14 '15 at 08:29
  • @gwillie indeed, what I wrote in my _naive approach_ was based on guessing how they did that. Question is, is that basically the only way? – ahron Aug 14 '15 at 08:34
  • `javascript` can't access local filesystem, so the only way is where you have access to what tools you need, which is on the server – gwillie Aug 14 '15 at 08:40
  • @gwillie But Javascript can access the data being streamed, right? Is there a way of scanning the stream? – ahron Aug 14 '15 at 11:38
  • no it cant. javascript manipulates the `dom`, a document for displaying whatever, the [document object model](https://en.wikipedia.org/wiki/Domain_model). once it commands to send data over the network, the OS takes control and javascript has no part. – gwillie Aug 14 '15 at 11:49

1 Answers1

0

An intrusion prevention system on the network layer is one approach, AV scanning in a (reverse) proxy another.

A common approach is that you apply restrictions on allowed file-name extensions client side before accepting the upload, (but that is hardly fool proof and easily circumvented) and then server-side a quick check to verify if indeed the upload is an allowed file-type and then a pass by a virus scanner before storing the file in it's final location.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • File name extension checks are indeed weak but magic numbers are a good idea. I have a couple of follow up questions: when you say _pass by a virus scanner_ where would the file be in the interim as the scanner is checking it? IPS I understand, it will check network traffic for any incoming attacks; AV scanning in reverse proxy layer - does it scan the file after it is stored somewhere, or the incoming stream? What's a good example of an AV scanner in a reverse proxy? – ahron Aug 14 '15 at 13:57
  • A virus infected file is not a security issue when it is in a quarantaine area where it won't be executed nor opened by the targeted application. Simply storing it in a temp space is really not an issue. With regards to AV in proxy servers: http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP – HBruijn Aug 14 '15 at 14:05
  • Meneer Bruijn, that example is for a caching server. Would you mind sharing something with a reverse proxy like HA Proxy or Nginx? – ahron Aug 14 '15 at 18:51
  • Squid can also be used as a reverse proxy, AFAIK – HBruijn Aug 14 '15 at 19:03
  • Yes. Many thanks for taking the time! I've got my learning cut out for me now – ahron Aug 14 '15 at 19:07