[clamav-users] Calm AV assistance

G.W. Haywood clamav at jubileegroup.co.uk
Sat Nov 6 01:15:08 UTC 2021 

Hi there,

On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:

> ...  users upload a file to our windows servers.  now maybe we save
> that to s3 and somehow pass the s3 url or bucket/file to clamav to
> scan.  I don't know what's easiest to do. That or to forward that
> file from the windows server to the clamav linux server for
> scanning.

If you read the documentation you'll see that ClamAV runs on Windows.
If the upload server is a Windows box I'd suggest that it's simplest
to run ClamAV on the Windows server.  Having said that Windows boxes
are the target of more malicious software than anything else, so you
might want the scanner to be hosted on a less attractive target.

> ... somehow, we need to take that uploaded file, save it somewhere
> that clamav can scan ...

If you give the ClamAV process(es) permission to read the uploaded
file then it can scan it in the Windows filesystem after uploading.
If you prefer, it could scan the data stream as it's being uploaded,
before it's even written to the filesystem.  Either way you probably
want to use a 'clamd' process (a daemon) to do the scanning.

You need to read the documentation.

> and let us know if it's bad or not.  if it's bad, we can delete it
> in our code.

That's up to you, but do please heed my warning about probabilities.
It is not safe to rely entirely on ClamAV to determine whether or not
an uploaded file is malicious.  There are services freely available on
the Web which will scan files using a dozen or more different scanning
engines.  I use such a service frequently to scan attachments in mail
sent to our servers.  None of the scan engines has a 100% success rate
and I have posted some of my observations of the performance of ClamAV
itself here on this list.  I think the performance of the best of the
scanners is in the region of 80% on a good day.  So even if you were
to use *all* the available scanners to scan *every* uploaded file, you
could probably expect to miss about one in five malicious uploads.

Speaking for myself, those numbers would be enough to make me dismiss
the idea as insane.

-- 

73,
Ged.

More information about the clamav-users mailing list