Discussion:
AV scanning for file uploads
Cristian Bichis
2014-03-28 10:27:15 UTC
Permalink
Hi,

I am interested what solutions do you guys are using for AV scanning of
uploaded files (uploaded through PHP).

For start I am analyzing Clamav options. Target OS is Linux / Debian.
PHP version for the app is 5.4/5.5.

1. I made some tests for an app and it seems using php-clamav extension
(http://php-clamav.sourceforge.net/) is a no go because of out of limit
RAM/CPU usage and overall scan time.

2. Another solution is to use on-demand clamdscan which works much
better as it uses clamd. However, it could be some issues I didnt tested
yet:
* if at same time with scanning there is a http request for that
file what is happening
* if at same time with scanning by PHP there is a move operation on
that file I am not sure what is happening

3. I am reviewing as well on-access Clamuko. This is supposed to work
properly within an uploads folder (where could be files moving in and out) ?


Cristian
Gabe
2014-03-28 10:33:32 UTC
Permalink
I personally recommend Sophos, this has worked well in our production
environment.

Cheers

Gabe

----- Original message -----
From: Cristian Bichis <***@imagis.ro>
To: php-***@lists.php.net
Subject: [PHP] AV scanning for file uploads
Date: Fri, 28 Mar 2014 12:27:15 +0200

Hi,

I am interested what solutions do you guys are using for AV scanning of
uploaded files (uploaded through PHP).

For start I am analyzing Clamav options. Target OS is Linux / Debian.
PHP version for the app is 5.4/5.5.

1. I made some tests for an app and it seems using php-clamav extension
(http://php-clamav.sourceforge.net/) is a no go because of out of limit
RAM/CPU usage and overall scan time.

2. Another solution is to use on-demand clamdscan which works much
better as it uses clamd. However, it could be some issues I didnt tested
yet:
* if at same time with scanning there is a http request for that
file what is happening
* if at same time with scanning by PHP there is a move operation on
that file I am not sure what is happening

3. I am reviewing as well on-access Clamuko. This is supposed to work
properly within an uploads folder (where could be files moving in and
out) ?


Cristian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Cristian Bichis
2014-03-28 10:39:04 UTC
Permalink
Hi,

How do you use Sophos for your app ?
1. PHP extension (there is such extension ?) call on-demand ?
2. on demand from CLI (or suing shell_execute)
3. on-access scanning ?

Cristian
Post by Gabe
I personally recommend Sophos, this has worked well in our production
environment.
Cheers
Gabe
----- Original message -----
Subject: [PHP] AV scanning for file uploads
Date: Fri, 28 Mar 2014 12:27:15 +0200
Hi,
I am interested what solutions do you guys are using for AV scanning of
uploaded files (uploaded through PHP).
For start I am analyzing Clamav options. Target OS is Linux / Debian.
PHP version for the app is 5.4/5.5.
1. I made some tests for an app and it seems using php-clamav extension
(http://php-clamav.sourceforge.net/) is a no go because of out of limit
RAM/CPU usage and overall scan time.
2. Another solution is to use on-demand clamdscan which works much
better as it uses clamd. However, it could be some issues I didnt tested
* if at same time with scanning there is a http request for that
file what is happening
* if at same time with scanning by PHP there is a move operation on
that file I am not sure what is happening
3. I am reviewing as well on-access Clamuko. This is supposed to work
properly within an uploads folder (where could be files moving in and out) ?
Cristian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Gabe
2014-03-28 11:00:07 UTC
Permalink
Hi Christian

Nothing special, it just runs as a daemon and is configured for
on-access scanning. Set up a whole bunch of directories to exclude (like
MySQL data directories), but just ensured that temp directories and php
session directories are included. Over the years it has quarantined
plenty of questionable uploads.

You'll have to buy a license for Sophos which can be a pain/expensive,
but I suspect ClamAV could work in just the same way, I just can't vouch
for it's effectiveness because I have not used it in production.

Cheers

Gabe

----- Original message -----
From: Cristian Bichis <***@imagis.ro>
To: php-***@lists.php.net
Subject: Re: [PHP] AV scanning for file uploads
Date: Fri, 28 Mar 2014 12:39:04 +0200

Hi,

How do you use Sophos for your app ?
1. PHP extension (there is such extension ?) call on-demand ?
2. on demand from CLI (or suing shell_execute)
3. on-access scanning ?

Cristian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Cristian Bichis
2014-03-28 11:08:09 UTC
Permalink
Hi Gabe,

You dont had any problems with on-access scanning and doing at same time
http-delivery for these files, or moving them around ?

I guess on-access scanning works by only scanning when there is a new
file or when an existing file is modified, not actually at read-access ?

Cristian
Post by Gabe
Hi Christian
Nothing special, it just runs as a daemon and is configured for
on-access scanning. Set up a whole bunch of directories to exclude (like
MySQL data directories), but just ensured that temp directories and php
session directories are included. Over the years it has quarantined
plenty of questionable uploads.
You'll have to buy a license for Sophos which can be a pain/expensive,
but I suspect ClamAV could work in just the same way, I just can't vouch
for it's effectiveness because I have not used it in production.
Cheers
Gabe
----- Original message -----
Subject: Re: [PHP] AV scanning for file uploads
Date: Fri, 28 Mar 2014 12:39:04 +0200
Hi,
How do you use Sophos for your app ?
1. PHP extension (there is such extension ?) call on-demand ?
2. on demand from CLI (or suing shell_execute)
3. on-access scanning ?
Cristian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Carsten Jensen
2014-03-28 11:26:48 UTC
Permalink
On-Access scanning
The Pros:
if you let the antivirus on the OS scan either by on access or on demand
gives the oppertunity to setup group based rules.

You don't need to code a function to handle the scanning.
and that function won't break if for some reason the API is changed.

The Con:
if the antivirus quaranteens/deletes an infected file after you've
registered the upload (i.e. into a database), you'll have inconsistencies.




I can only speak of experiences with antivirus products,
and there's one that I've always had bad experiences with,
and that was Panda. I haven't worked with Panda in many years now,
so it could be a good product these days.

That being said, depending on the use of your target audience, ClamAV is
quite capable as an antivirus product.



cheers
Post by Cristian Bichis
Hi Gabe,
You dont had any problems with on-access scanning and doing at same time
http-delivery for these files, or moving them around ?
I guess on-access scanning works by only scanning when there is a new
file or when an existing file is modified, not actually at read-access ?
Cristian
Post by Gabe
Hi Christian
Nothing special, it just runs as a daemon and is configured for
on-access scanning. Set up a whole bunch of directories to exclude (like
MySQL data directories), but just ensured that temp directories and php
session directories are included. Over the years it has quarantined
plenty of questionable uploads.
You'll have to buy a license for Sophos which can be a pain/expensive,
but I suspect ClamAV could work in just the same way, I just can't vouch
for it's effectiveness because I have not used it in production.
Cheers
Gabe
----- Original message -----
Subject: Re: [PHP] AV scanning for file uploads
Date: Fri, 28 Mar 2014 12:39:04 +0200
Hi,
How do you use Sophos for your app ?
1. PHP extension (there is such extension ?) call on-demand ?
2. on demand from CLI (or suing shell_execute)
3. on-access scanning ?
Cristian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Continue reading on narkive:
Loading...