Results 1 to 10 of 10

Thread: Live Antivirus Scan for file upload

  1. #1
    Join Date
    Aug 2010
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Live Antivirus Scan for file upload

    Hello people!
    Without going to much into detail: I am working on a website where users can upload files. These files are zipped, so no single images or such.

    I want to scan these files for malicious contents when the user uploads them to the server via a form

    Could you enlighten me a bit on this topic which I know few things about and point me to some web resources to solve my problem?

  2. #2
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    That's very complex.

    First, you will need some sort of serverside language like PHP that can unzip the files and look through the contents.

    The easiest way is to check filenames: if the contents are only .jpg and .txt, then there probably* isn't any malicious content in there. If there are .exe files, then you should probably block it.

    It is VERY difficult to actually check what files contain. You'd probably need a database of known viruses and that wouldn't catch unknown viruses. One option would be to try to run a virus scan (from commercial software) dynamically via the PHP script. That sounds complex, but it may also be the only way to really check the contents.

    *Another problem is that you can rename a virus from .exe to .txt and it can then be renamed again to .exe. This usually will be with files that users are intentionally exchanging, rather than virus that wouldn't be expected. There are some occasions however where an altered filename may not prevent a virus from running-- rare, but theoretically possible depending on how the file is loaded. Also, if you do take the approach of checking file extensions, you will need to think of every possible file extension that might be malicious, or you could just create a list of approved file types. That's more secure, but more limiting for users as well.

    Another way to approach it would be to try to actually figure out what kind of file it is: see if the extension matches the content. There are limited ways to do this aside from actually opening the file to test it (and in theory you could do that with certain file types), but one for PHP is the finfo() function library. Basically it checks some of the data in the file and guesses about what type it probably is-- just a "best guess" but in most cases should be fairly reliable.


    I don't know how major companies handle this, but I do know that gmail blocks any zip attachments that contain exe files. So that approach is clearly used by at least one of the major companies, so it's probably something to consider.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  3. The Following User Says Thank You to djr33 For This Useful Post:

    lucaaat (10-09-2010)

  4. #3
    Join Date
    Aug 2010
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default

    I see. Thank you very much for the answer.
    I think the best way to do this is a team of moderators that do it manually, until us devs find a solution, maybe in collaboration with some Antivirus company.

    Although a good example of how things should work could be the email attachement antivirus scan that yahoo provides (norton).

  5. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    For a temporary solution as I said you can just check what filetypes are contained within the zip: if you have any questionable types like exe, then forward that to a moderator. Not perfect, but reliable for now.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  6. #5
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    30,495
    Thanks
    82
    Thanked 3,449 Times in 3,410 Posts
    Blog Entries
    12

    Default

    If you do have PHP, see:

    http://us2.php.net/manual/ro/function.exec.php

    With it you should be able to run command line unzipping and anti-virus software and get some kind of return value from them.
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  7. The Following User Says Thank You to jscheuer1 For This Useful Post:

    lucaaat (10-09-2010)

  8. #6
    Join Date
    Aug 2010
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by jscheuer1 View Post
    If you do have PHP, see:

    http://us2.php.net/manual/ro/function.exec.php

    With it you should be able to run command line unzipping and anti-virus software and get some kind of return value from them.
    This sounds interesting. I will see what I can do with it. Thanks

  9. #7
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    30,495
    Thanks
    82
    Thanked 3,449 Times in 3,410 Posts
    Blog Entries
    12

    Default

    You're welcome. I've used it to run qqwing - a command line sudoku utility. It can output various things. But with a PHP page like:

    PHP Code:
    <?php
    exec
    ('qqwing --generate --solution'$output);
    echo 
    '<pre>';
    echo 
    preg_replace('#^$#m''<div style="display:none;">'implode("\n"$output));
    echo 
    '</div></pre>';
    ?>
    You get a page in the browser that looks something like (the exact puzzle is different every time):

    Code:
     . . 7 | . . 8 | . . .
     . 2 . | 5 . . | . . 7
     . . 9 | 2 4 . | . . .
    -------|-------|-------
     4 9 . | . 8 . | 6 . .
     . . 2 | . 5 . | . 8 .
     . . . | . . 6 | 4 7 2
    -------|-------|-------
     . 6 . | . . . | . . 5
     . 5 . | . 9 . | . . .
     7 . . | 1 . . | . . .
    and a display: none; div with this (the solution) in it:

    Code:
     5 4 7 | 3 6 8 | 1 2 9
     8 2 6 | 5 1 9 | 3 4 7
     3 1 9 | 2 4 7 | 5 6 8
    -------|-------|-------
     4 9 3 | 7 8 2 | 6 5 1
     6 7 2 | 4 5 1 | 9 8 3
     1 8 5 | 9 3 6 | 4 7 2
    -------|-------|-------
     9 6 1 | 8 7 4 | 2 3 5
     2 5 8 | 6 9 3 | 7 1 4
     7 3 4 | 1 2 5 | 8 9 6
    The qqwing options are:

    Code:
    qqwing <options>
    Sudoku solver and generator.
      --generate <num>     Generate new puzzles
      --solve              Solve all the puzzles from standard input
      --difficulty <diff>  Generate only simple,easy, intermediate, or expert
      --puzzle             Print the puzzle (default when generating)
      --nopuzzle           Do not print the puzzle (default when solving)
      --solution           Print the solution (default when solving)
      --nosolution         Do not print the solution (default when generating)
      --stats              Print statistics about moves used to solve the puzzle
      --nostats            Do not print statistics (default)
      --count-solutions    Count the number of solutions to puzzles
      --nocount-solutions  Do not count the number of solutions (default)
      --history            Print trial and error used when solving
      --nohistory          Do not print trial and error to solve (default)
      --instructions       Print the steps (at least 81) needed to solve the puzzle
      --noinstructions     Do not print steps to solve (default)
      --log-history        Print trial and error to solve as it happens
      --nolog-history      Do not print trial and error  to solve as it happens
      --one-line           Print puzzles on one line of 81 characters
      --compact            Print puzzles on 9 lines of 9 characters
      --readable           Print puzzles in human readable form (default)
      --csv                Ouput CSV format with one line puzzles
      --help               Print this message
      --about              Author and license information
      --version            Display current version number
    So you see that you can get the output from the program as specified by the options you invoke it with, and then 'massage' that output for your purposes.

    For something like a command line anti-virus program, options might be something like (if it can scan inside of zipped files):

    Code:
    /scan /file:whatever.zip
    If so you could do in your PHP page (if the program is called antivirus.exe):

    PHP Code:
    <?php
    $file 
    'whatever.zip';
    exec('antivirus /scan /file:' $file$output);
    ?>
    You would then have the output in the $output variable. qqwing is incredibly fast, so for a scan, you might need something like usleep:

    http://us2.php.net/manual/en/function.usleep.php

    Perhaps (obviously untested):

    PHP Code:
    <?php
    $file 
    'whatever.zip';
    exec('antivirus /scan /file:' $file$output);
    while (!isset(
    '$output')) usleep(10000);
    echo 
    $output// and/or do something else with the output
    ?>
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  10. #8
    Join Date
    Aug 2010
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default

    That's fantastic. I think I can work with that pretty well, legal stuff besides (I guess I will have to contact an antivirus company for the rights to use it online).
    I could insert that exec in the validation process of the submitted form... Thanks man!

  11. #9
    Join Date
    Nov 2010
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Virus Scan during file Upload in asp.net c#.net

    Hi,

    In my application I have to upload documents, before uploading I want to scan for viruses. McAfee is installed on the server, I want to know how to trigger

    (1) scanning from the server side code(i.e command prompt scanning basically I want code for writing server side process to initiate command prompt scanning)
    (2) after scanning, it should write somewhere in the disk that files are infected or not, how to achieve this.

    Please help,
    Thanks in advance

  12. #10
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    30,495
    Thanks
    82
    Thanked 3,449 Times in 3,410 Posts
    Blog Entries
    12

    Default

    Does the McAfee that's installed on the server have a command line interface? If so, how would you enter it at the command line and how would the output look? Would it be output to the console as text, or would it invoke some sort of GUI?
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •