Question

virus scan uploaded files

0

Our application facilitates upload of files (core functionality, used a very frequently). We want to ensure that the uploaded files do not contain any viruses. What would be the recommended approach to take care of this? Note that the content of the files needs to be treated securely (so remote virus check is not allowed). Our application runs on premise (on Windows). Thanks.

asked 2014-04-01

Brian Golsteijn

3 answers

Jason Braswell · Answer 1 · 2014-04-01

We take care, first and foremost, to limit files with only the extensions we are expecting (definitely not exe's).

Secondly, we set our Anti-Virus to scan the upload folder as specified in the Console config. I don't think there is any way to scan it on the client machine, so it has to be uploaded to the server first.

Michel Weststrate · Answer 2 · 2014-04-02

Quite some virusscanners have a decent API. In home.mendix.com, we added an attribute to our filedocuments, named 'VirusFree', which defaults to false. After upload we send it over using some java api to a remote virusscanner (which scans the actual stream). After that process completes, we set the boolean to true. In the security constraint, we added a constraint that for all users, except the uploader, this boolean must be true before the file becomes visible.

This way we guarantee that all our uploads are virusscanned and that nobody is able to see the file before it gets scanned (which might be an issue when using just a watch on the folder, the file might be there for a short amount of time before it get scanned). If you need further details about which virusscanner is actually used, I'll look it up when I'm back at the office #aftermendixworld ;-)

Pim van der Noll · Answer 3 · 2017-03-05

As mentioned in this forumpost please check out the new module in the Mendix Appstore.