Changes for page ClamAV

From version 10.1
edited by fse
on 17.05.2022, 15:02
Change comment: Renamed from xwiki:Formcycle.PluginDocumentation.MalwareScannerPlugin.ClamAV.WebHome
To version 33.3
edited by jdr
on 23.11.2023, 14:38
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.fse
1 +XWiki.jdr
Content
... ... @@ -1,17 +1,34 @@
1 -[[**Plugin download**>>https://customer.formcycle.eu/index.php/apps/files/?dir=/FORMCYCLE%20-%20Plugins%20Customer/fc-plugin-malware-scanner/ClamAV&fileid=40404]]
1 +{{info}}
2 +{{version major="7" minor="0" patch="13" showInfo="true"}}
3 +This plugin can only be used with {{formcycle/}} Version 7.0.13 or higher.
4 +{{/version}}
5 +{{/info}}
2 2  
7 +[[**Plugin-Download**>>https://customer.formcycle.eu/index.php/apps/files/?dir=/FORMCYCLE%20-%20Plugins%20Customer/fc-plugin-malware-scanner/ClamAV&fileid=40404]] (requires login)
8 +
3 3  {{content/}}
4 4  
5 -{{figure image="en_plugin.png" width="600"}}
6 - A TCP connection must be set up to use the ClamAV-daemon service to scan the uploaded files.
7 -{{/figure}}
11 +With the free //ClamAV// plugin for {{formcycle/}} it is possible to scan uploaded files for viruses. For this purpose, this plugin establishes a connection to a //ClamAV// daemon service via TCP.
8 8  
9 -It is possible to use ClamAV to scan for malware in uploaded elements of the backend as well as of delivered forms. For this purpose, this plugin is required as an activated system plugin and a running ClamAV-daemon service that can be accessed via TCP.
13 +== Functionality ==
10 10  
11 -After this plugin has been installed, it must be configured. The configuration consists of specifying which {{smallcaps}}host:port{{/smallcaps}} combination is to be used. Furthermore, the transfer can be done with a {{smallcaps}}InputStream{{/smallcaps}} or working straight on the path.
15 +; Immediate virus scan
16 +: Each file is scanned immediately after upload.
12 12  
13 -== Configuration ==
18 +The used //ClamAV//-daemon service can neither be configured nor started by this plugin.
14 14  
20 +== Installation ==
21 +
22 +The installation of the plugin has to be carried out via the interface of plugins provided for this purpose. Only the corresponding //jar// file has to be installed.
23 +
24 +{{info}}
25 + The //ClamAV// plug-in scans files in backend and fronted. To be always available to all users it is advisable to install the plugin as a system plugin. This also avoids possible problems with double-used ports and enables a central configuration.
26 +{{/info}}
27 +
28 +== Plugin configuration ==
29 +
30 +After saving, a ping test is automatically performed. If this fails, a message will be displayed. In this case all uploads in the backend or in the form will be marked as faulty - the plugin should be deactivated first and a working connection should be established.
31 +
15 15  {{figure image="en_error.png" width="400"}}
16 16   If no connection can be established to the specified host, this message is displayed.
17 17  {{/figure}}
... ... @@ -19,39 +19,132 @@
19 19  The following configuration parameters exist:
20 20  
21 21  ; host (Required)
22 -: Host name or IP address of the server running ClamAV-daemon, {{smallcaps}}127.0.0.1{{/smallcaps}} if the service is running on the same server as {{formcycle/}}.
23 -; port
24 -: The default port of ClamAV-daemon is {{smallcaps}}3310{{/smallcaps}}. If the port is different, it must be specified here.
25 -; file-source
26 -: By default, the element to be checked is transferred via Java's {{smallcaps}}InputStream{{/smallcaps}}. If the value {{smallcaps}}path{{/smallcaps}} is entered here, the path is used directly - whereby the ClamAV-daemon service must have root rights.
39 +: Default value: //127.0.0.1//. Specifies the //IP// address of the //ClamAV//-daemon service to be used. The default value is //127.0.0.1// and thus uses a local //ClamAV//-daemon service.
40 +; port (Required)
41 +: Default value: //3310//. Specifies the port of the //ClamAV//-daemon service to use. The default value should only be changed if this port is not available.
42 +; os (Optional)
43 +: Default value: //JVM_PLATFORM//. Operating system on which the ClamAV daemon service is running. This value is only relevant if the operating system of formcycle and that of the ClamAV daemon service are different. For Linux or MacOS enter //UNIX//, for Windows enter //WINDOWS//. If both are running on the same operating system, you can leave this value blank or use //JVM_PLATFORM//.
27 27  
28 -After saving, a ping test is automatically executed. If this fails, a corresponding message is displayed. In this case, all uploads in the backend or in the form are marked as faulty - the plugin should first be deactivated and a functioning connection established.
45 +{{info}}
46 +//ClamAV// is intended to run on Linux-based servers. Therefore, we cannot guarantee any other support.
47 +{{/info}}
29 29  
30 -== ClamAV settings ==
49 +== Configuration //ClamAV// ==
31 31  
32 -The following section describes important configuration steps of ClamAV-daemon. In this scenario, {{formcycle/}} is installed on a Debian based server and the ClamAV-daemon service is running on the same system.
51 +The following section discusses installation and configuration of //ClamAV//. Our recommended scenario is to install {{formcycle/}} and the //ClamAV//-daemon service on the same server.
33 33  
34 -Since the actual virus scanning takes place separately from {{formcycle/}}, take care to keep the virus signature database up-to-date via {{smallcaps}}freshclam{{/smallcaps}}.
53 +=== Installation ===
35 35  
36 -This plugin transmits the elements to be examined via TCP, which is deactivated by default in ClamAV-daemon. To enable it, the configuration file: {{smallcaps}}/etc/clamav/clamd.conf{{/smallcaps}} has to be edited.
55 +To install //ClamAV// on a server, the following commands should be entered on the server.
37 37  
38 -The following parameters have to be added to the file:
57 +//ClamAV// is the program that can scan files for viruses and is required for the use of //ClamAV//-daemon.
39 39  
40 -; TCPAddr (Required)
41 -: Shall be added and specified with the value {{smallcaps}}127.0.0.1{{/smallcaps}}.
42 -; TCPSocket (Required)
43 -: Shall be added and specified with the value {{smallcaps}}3310{{/smallcaps}} or different, if the port is occupied.
44 -; User
45 -: By default this is {{smallcaps}}clamav{{/smallcaps}} and has to be changed to {{smallcaps}}root{{/smallcaps}} to give root rights to the ClamAV-daemon service.
59 +; Update the package list:
60 +; {{code language="shell"}} sudo apt-get update {{/code}}
46 46  
47 -{{figure image="en_tcp_test.png"}}
48 - With the help of {{smallcaps}}netstat{{/smallcaps}} the TCP socket of the ClamAV-daemon service can be examined.
49 -{{/figure}}
62 +; Install //ClamAV// and //ClamAV//-daemon:
63 +; {{code language="shell"}} sudo apt-get install clamav clamav-daemon -y {{/code}}
50 50  
51 -In order for this plugin to address the ClamAV-daemon service, the service has to be listening in the right place - in this case at {{smallcaps}}127.0.0.1:3310{{/smallcaps}}. This can be checked by the following command in the terminal:
65 +=== Update the virus signature database ===
52 52  
53 -{{code language="shell"}}
54 -sudo netstat -anp | grep -E "(clam)"
55 -{{/code}}
67 +//freshclam// is automatically installed with //ClamAV// and is used to update the virus signature database.
56 56  
69 +; Terminate the automatic //freshclam// process:
70 +; {{code language="shell"}} sudo systemctl stop clamav-freshclam {{/code}}
57 57  
72 +; Manually update virus signature database:
73 +; {{code language="shell"}} sudo freshclam {{/code}}
74 +
75 +=== Configuration //ClamAV//-daemon ===
76 +
77 +//ClamAV//-daemon is the process running in the background on the server, which is addressed for the virus scan. This is done via TCP and must be configured accordingly.
78 +
79 +For this purpose, the configuration file under: // /etc/clamav/clamd.conf // should be adapted.
80 +
81 +Open the configuration file:
82 +
83 +; {{code language="shell"}} sudo nano /etc/clamav/clamd.conf {{/code}}
84 +
85 +Use the arrow keys to navigate to the end of the file.
86 +
87 +; Add //TCPAddr 127.0.0.1 //
88 +; Add //TCPSocket 3310 //
89 +
90 +{{lightbox image="en_clamd.conf.png"/}}
91 +
92 +; Specify root rights for //ClamAV//-daemon
93 +: To do this, the row //User clamav// has to be changed to //User root// in this file.
94 +
95 +Now you can save and exit with //Ctrl + X//. Confirm with //Y// and the Enter key.
96 +
97 +=== Starting the //ClamAV//-daemon Service ===
98 +
99 +Now the service can be started.
100 +
101 +: Start the //ClamAV//-daemon Service:
102 +; {{code language="shell"}} sudo systemctl start clamav-daemon.service {{/code}}
103 +
104 +=== Checking the availability of the service ===
105 +
106 +In order for this plugin to be able to address the //ClamAV//-daemon service, the service must be listening in the right place - in this case at //127.0.0.1:3310//. This can be checked in the server's terminal.
107 +
108 +Using //netstat// the TCP socket of the //ClamAV//-daemon service can be examined.
109 +
110 +; {{code language="shell"}} sudo netstat -anp | grep -E "(clam)" {{/code}}
111 +
112 +{{lightbox image="en_tcp_test.png"/}}
113 +
114 +If no line starting with //tcp// is seen or a different //host:port// combination is seen as //127.0.0.1:3310//, the configuration has to be checked again.
115 +
116 +== Example configuration ==
117 +
118 +An example configuration with the above default values:
119 +
120 +{{lightbox image="en_plugin.png"/}}
121 +
122 +== Usage ==
123 +
124 +As soon as a virus signature has been detected, the following message is displayed:
125 +
126 +{{lightbox image="en_virus_found.png"/}}
127 +
128 +=== Test file ===
129 +
130 +A common method for checking virus scanners is the //eicar.com// file.
131 +At any point this test file can be uploaded and after successful configuration the message shown above should be seen.
132 +
133 +; [[**Wikipedia**>>https://de.wikipedia.org/wiki/EICAR-Testdatei]]
134 +; [[**Download**>>https://www.eicar.org/download-anti-malware-testfile/]]
135 +
136 +=== Logging ===
137 +
138 +//ClamAV// creates logs which can be found under // /var/log/clamav/clamav.log //.
139 +
140 +For example, after uploading the //eicar.com// test file, the following entry can be seen in //clamav.log //:
141 +
142 +; {{code language="shell"}} Wed May 25 10:10:21 2022 -> instream(127.0.0.1@32984): Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND {{/code}}
143 +
144 +{{formcycle/}} logs can be found for this at // /formcycle-data/formcycle7/logs //.
145 +
146 +After uploading the //eicar.com// test file, for example, the following entry can be seen in //formcycle-errors-log //:
147 +
148 +; {{code language="shell"}} [WARN] [25-05-22 10:10:21,192] [ajp-nio-127.0.0.1-8009-exec-43] (MalwareScanner.java:211) - Scanner <fc.plugin.malware.scanner.clamAV. ClamAntiVirusFileScanner@7b2a4953> detected malware signature for file </home/fc/tomcat9/tmp/xima-temp/formcycle7/xfc-malware-scan/stream-scan12705251110052849842/data2383296604287452271>: {stream=[Win.Test.EICAR_HDB-1]} {{/code}}
149 +; {{code language="shell"}} [ERROR] [25-05-22 10:10:21,207] [ajp-nio-127.0.0.1-8009-exec-43] (VirusScannerService.java:71) - Detected a virus {{/code}}
150 +
151 +== Version history ==
152 +
153 +=== Version 1.0.3 ===
154 +
155 +* Change: The plugin is synchronized with the frontend server when one is available. This allows for malware scanning when using a frontend server.
156 +
157 +=== Version 1.0.2 ===
158 +
159 +* Remove: property for path scanning, only InputStream now.
160 +
161 +=== Version 1.0.1 ===
162 +
163 +* Fix: Skip scanning if operating system is not UNIX instead of detecting the file as a virus.
164 +
165 +=== Version 1.0.0 ===
166 +
167 +* Initial release
de_plugin.png
Size
... ... @@ -1,1 +1,1 @@
1 -60.3 KB
1 +37.5 KB
Content
en_error.png
Size
... ... @@ -1,1 +1,1 @@
1 -5.5 KB
1 +7.1 KB
Content
en_plugin.png
Size
... ... @@ -1,1 +1,1 @@
1 -53.6 KB
1 +33.0 KB
Content
en_tcp_test.png
Size
... ... @@ -1,1 +1,1 @@
1 -5.7 KB
1 +16.7 KB
Content
de_error.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.fse
Size
... ... @@ -1,0 +1,1 @@
1 +7.9 KB
Content
de_tcp_test.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.fse
Size
... ... @@ -1,0 +1,1 @@
1 +17.6 KB
Content
de_virus_found.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.fse
Size
... ... @@ -1,0 +1,1 @@
1 +11.4 KB
Content
en_clamd.conf.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.fse
Size
... ... @@ -1,0 +1,1 @@
1 +16.4 KB
Content
en_virus_found.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.fse
Size
... ... @@ -1,0 +1,1 @@
1 +9.6 KB
Content