Hello people!
Without going to much into detail: I am working on a website where users can upload files. These files are zipped, so no single images or such.

I want to scan these files for malicious contents when the user uploads them to the server via a form

Could you enlighten me a bit on this topic which I know few things about and point me to some web resources to solve my problem?

That's very complex.

First, you will need some sort of serverside language like PHP that can unzip the files and look through the contents.

The easiest way is to check filenames: if the contents are only .jpg and .txt, then there probably* isn't any malicious content in there. If there are .exe files, then you should probably block it.

It is VERY difficult to actually check what files contain. You'd probably need a database of known viruses and that wouldn't catch unknown viruses. One option would be to try to run a virus scan (from commercial software) dynamically via the PHP script. That sounds complex, but it may also be the only way to really check the contents.

*Another problem is that you can rename a virus from .exe to .txt and it can then be renamed again to .exe. This usually will be with files that users are intentionally exchanging, rather than virus that wouldn't be expected. There are some occasions however where an altered filename may not prevent a virus from running-- rare, but theoretically possible depending on how the file is loaded. Also, if you do take the approach of checking file extensions, you will need to think of every possible file extension that might be malicious, or you could just create a list of approved file types. That's more secure, but more limiting for users as well.

Another way to approach it would be to try to actually figure out what kind of file it is: see if the extension matches the content. There are limited ways to do this aside from actually opening the file to test it (and in theory you could do that with certain file types), but one for PHP is the finfo() function library. Basically it checks some of the data in the file and guesses about what type it probably is-- just a "best guess" but in most cases should be fairly reliable.


I don't know how major companies handle this, but I do know that gmail blocks any zip attachments that contain exe files. So that approach is clearly used by at least one of the major companies, so it's probably something to consider.

I see. Thank you very much for the answer.
I think the best way to do this is a team of moderators that do it manually, until us devs find a solution, maybe in collaboration with some Antivirus company.

Although a good example of how things should work could be the email attachement antivirus scan that yahoo provides (norton).

For a temporary solution as I said you can just check what filetypes are contained within the zip: if you have any questionable types like exe, then forward that to a moderator. Not perfect, but reliable for now.

If you do have PHP, see:

http://us2.php.net/manual/ro/function.exec.php

With it you should be able to run command line unzipping and anti-virus software and get some kind of return value from them.

If you do have PHP, see:

http://us2.php.net/manual/ro/function.exec.php

With it you should be able to run command line unzipping and anti-virus software and get some kind of return value from them.

This sounds interesting. I will see what I can do with it. Thanks

You're welcome. I've used it to run qqwing - a command line sudoku utility. It can output various things. But with a PHP page like:


<?php
exec('qqwing --generate --solution', $output);
echo '<pre>';
echo preg_replace('#^$#m', '<div style="display:none;">', implode("\n", $output));
echo '</div></pre>';
?>

You get a page in the browser that looks something like (the exact puzzle is different every time):


. . 7 | . . 8 | . . .
. 2 . | 5 . . | . . 7
. . 9 | 2 4 . | . . .
-------|-------|-------
4 9 . | . 8 . | 6 . .
. . 2 | . 5 . | . 8 .
. . . | . . 6 | 4 7 2
-------|-------|-------
. 6 . | . . . | . . 5
. 5 . | . 9 . | . . .
7 . . | 1 . . | . . .

and a display: none; div with this (the solution) in it:


5 4 7 | 3 6 8 | 1 2 9
8 2 6 | 5 1 9 | 3 4 7
3 1 9 | 2 4 7 | 5 6 8
-------|-------|-------
4 9 3 | 7 8 2 | 6 5 1
6 7 2 | 4 5 1 | 9 8 3
1 8 5 | 9 3 6 | 4 7 2
-------|-------|-------
9 6 1 | 8 7 4 | 2 3 5
2 5 8 | 6 9 3 | 7 1 4
7 3 4 | 1 2 5 | 8 9 6

The qqwing options are:


qqwing <options>
Sudoku solver and generator.
--generate <num> Generate new puzzles
--solve Solve all the puzzles from standard input
--difficulty <diff> Generate only simple,easy, intermediate, or expert
--puzzle Print the puzzle (default when generating)
--nopuzzle Do not print the puzzle (default when solving)
--solution Print the solution (default when solving)
--nosolution Do not print the solution (default when generating)
--stats Print statistics about moves used to solve the puzzle
--nostats Do not print statistics (default)
--count-solutions Count the number of solutions to puzzles
--nocount-solutions Do not count the number of solutions (default)
--history Print trial and error used when solving
--nohistory Do not print trial and error to solve (default)
--instructions Print the steps (at least 81) needed to solve the puzzle
--noinstructions Do not print steps to solve (default)
--log-history Print trial and error to solve as it happens
--nolog-history Do not print trial and error to solve as it happens
--one-line Print puzzles on one line of 81 characters
--compact Print puzzles on 9 lines of 9 characters
--readable Print puzzles in human readable form (default)
--csv Ouput CSV format with one line puzzles
--help Print this message
--about Author and license information
--version Display current version number

So you see that you can get the output from the program as specified by the options you invoke it with, and then 'massage' that output for your purposes.

For something like a command line anti-virus program, options might be something like (if it can scan inside of zipped files):


/scan /file:whatever.zip

If so you could do in your PHP page (if the program is called antivirus.exe):


<?php
$file = 'whatever.zip';
exec('antivirus /scan /file:' . $file, $output);
?>

You would then have the output in the $output variable. qqwing is incredibly fast, so for a scan, you might need something like usleep:

http://us2.php.net/manual/en/function.usleep.php

Perhaps (obviously untested):


<?php
$file = 'whatever.zip';
exec('antivirus /scan /file:' . $file, $output);
while (!isset('$output')) usleep(10000);
echo $output; // and/or do something else with the output
?>

That's fantastic. I think I can work with that pretty well, legal stuff besides (I guess I will have to contact an antivirus company for the rights to use it online).
I could insert that exec in the validation process of the submitted form... Thanks man!

Hi,

In my application I have to upload documents, before uploading I want to scan for viruses. McAfee is installed on the server, I want to know how to trigger

(1) scanning from the server side code(i.e command prompt scanning basically I want code for writing server side process to initiate command prompt scanning)
(2) after scanning, it should write somewhere in the disk that files are infected or not, how to achieve this.

Please help,
Thanks in advance

Does the McAfee that's installed on the server have a command line interface? If so, how would you enter it at the command line and how would the output look? Would it be output to the console as text, or would it invoke some sort of GUI?