[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Serverside Virus Scan
- From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Serverside Virus Scan
- Date: Sun, 4 May 2008 17:30:30 -0400
------=_Part_5272_7580480.1209936630512
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
If you front-end the app with ModSecurity, you can use the @inspectFile
operator to look at the file (
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.2/modsecurity2-apache-reference.html#N11902).
When users upload a file (multipart-form-data) Mod will dump it to a
temporary file on disk and then you can plug-in any script that you want to
analyze the file. Most people use a wrapper script to integrate with
something like ClamAV. Here is an example from the older Mod 1.9 docs (
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html#N1083F
).
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On Fri, May 2, 2008 at 4:24 PM, rajat karnwal <rajatpch@yahoo.com> wrote:
> Hi,
> I have a requirement of doing server side virus
> scan and also needs to check the that file extension
> are not spoofed for the files uploaded. Max upload
> file size allowed will be few MB. Application is in
> Java.
> I know there are two approaches to acheive this
> First Approach) Integrate virus scan with the
> application and do in memory scan
>
> Second Approach) Download file into some secured area
> and then do virus scan. If file contains virus
> qurantine it.
> What I am not sure is which approach is the
> preffered approach. What are the pros and cons of
> each.
> Any help will be appreciated
> Regards,
> Rajat Karnwal
>
>
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
------=_Part_5272_7580480.1209936630512
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<div>If you front-end the app with ModSecurity, you can use the @inspectFile operator to look at the file (<a href="http://www.modsecurity.org/documentation/modsecurity-apache/2.5.2/modsecurity2-apache-reference.html#N11902";>http://www.modsecurity.org/documentation/modsecurity-apache/2.5.2/modsecurity2-apache-reference.html#N11902</a>). When users upload a file (multipart-form-data) Mod will dump it to a temporary file on disk and then you can plug-in any script that you want to analyze the file. Most people use a wrapper script to integrate with something like ClamAV. Here is an example from the older Mod 1.9 docs (<a href="http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html#N1083F";>http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html#N1083F</a>).</div>
<div> </div>
<div>-- <br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>
Author: Preventing Web Attacks with Apache <br><br></div>
<div class="gmail_quote">On Fri, May 2, 2008 at 4:24 PM, rajat karnwal <<a href="mailto:rajatpch@yahoo.com";>rajatpch@yahoo.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi,<br> I have a requirement of doing server side virus<br>scan and also needs to check the that file extension<br>
are not spoofed for the files uploaded. Max upload<br>file size allowed will be few MB. Application is in<br>Java.<br> I know there are two approaches to acheive this<br>First Approach) Integrate virus scan with the<br>application and do in memory scan<br>
<br>Second Approach) Download file into some secured area<br>and then do virus scan. If file contains virus<br>qurantine it.<br> What I am not sure is which approach is the<br>preffered approach. What are the pros and cons of<br>
each.<br> Any help will be appreciated<br>Regards,<br>Rajat Karnwal<br><br><br><br> ____________________________________________________________________________________<br>Be a better friend, newshound, and<br>know-it-all with Yahoo! Mobile. Try it now. <a href="http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ"; target="_blank">http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ</a><br>
<br>----------------------------------------------------------------------------<br>Join us on IRC: <a href="http://irc.freenode.net/"; target="_blank">irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br></blockquote></div>
------=_Part_5272_7580480.1209936630512--
Brought to you by http://www.webappsec.org
Search this site
|