[WEB SECURITY] Serverside Virus Scan

Ryan Barnett rcbarnett at gmail.com
Sun May 4 17:30:30 EDT 2008


If you front-end the app with ModSecurity, you can use the @inspectFile
operator to look at the file (
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.2/modsecurity2-apache-reference.html#N11902).
When users upload a file (multipart-form-data) Mod will dump it to a
temporary file on disk and then you can plug-in any script that you want to
analyze the file.  Most people use a wrapper script to integrate with
something like ClamAV.  Here is an example from the older Mod 1.9 docs (
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html#N1083F
).

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On Fri, May 2, 2008 at 4:24 PM, rajat karnwal <rajatpch at yahoo.com> wrote:

> Hi,
>   I have a requirement of doing server side virus
> scan and also needs to check the that file extension
> are not spoofed for the files uploaded. Max upload
> file size allowed will be few MB. Application is in
> Java.
>   I know there are two approaches to acheive this
> First Approach) Integrate virus scan with the
> application and do in memory scan
>
> Second Approach)  Download file into some secured area
> and then do virus scan. If file contains virus
> qurantine it.
>   What I am not sure is which approach is the
> preffered approach. What are the pros and cons of
> each.
>  Any help will be appreciated
> Regards,
> Rajat Karnwal
>
>
>
>
>  ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080504/555a06ed/attachment.html>


More information about the websecurity mailing list