Changes for page ClamAV

From 22.1 to 23.1 From 24.1 to 25.1

From version 23.1

edited by fse
on 25.05.2022, 11:55

Change comment: Neues Bild de_plugin.png hochladen

To version 24.1

edited by fse
on 25.05.2022, 15:56

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -1,19 +1,34 @@
  {{info}}
  {{version major="7" minor="0" patch="13" showInfo="true"}}
--This plugin can only be used with {{formcycle/}} version 7.0.13 or higher.
++This plugin can only be used with {{formcycle/}} Version 7.0.13 or higher.
  {{/version}}
  {{/info}}
--[[**Plugin download**>>https://customer.formcycle.eu/index.php/apps/files/?dir=/FORMCYCLE%20-%20Plugins%20Customer/fc-plugin-malware-scanner/ClamAV&fileid=40404]] (Requires login)
++[[**Plugin-Download**>>https://customer.formcycle.eu/index.php/apps/files/?dir=/FORMCYCLE%20-%20Plugins%20Customer/fc-plugin-malware-scanner/ClamAV&fileid=40404]] (requires login)
  {{content/}}
--Uploaded files can be checked for viruses via the plug-in. For this purpose, this plugin is required as an activated system plugin and a running ClamAV-daemon service that can be accessed via TCP.
++With the free //ClamAV// plugin for {{formcycle/}} it is possible to scan uploaded files for viruses. For this purpose, this plugin establishes a connection to a //ClamAV// daemon service via TCP.
--After this plugin has been installed, it must be configured. The configuration consists of specifying which {{smallcaps}}host:port{{/smallcaps}} combination is to be used. Furthermore, the transfer can be done with a {{smallcaps}}InputStream{{/smallcaps}} or working straight on the path.
++== Functionality ==
--== Configuration ==
++; Immediate virus scan
++: Each file is scanned immediately after upload.
++The used //ClamAV//-daemon service can neither be configured nor started by this plugin.
++
++== Installation ==
++
++The installation of the plugin has to be carried out via the interface of plugins provided for this purpose. Only the corresponding //jar// file has to be installed.
++
++{{info}}
++  The //ClamAV// plug-in scans files in backend and fronted. To be always available to all users it is advisable to install the plugin as a system plugin. This also avoids possible problems with double-used ports and enables a central configuration.
++{{/info}}
++
++== Plugin configuration ==
++
++After saving, a ping test is automatically performed. If this fails, a message will be displayed. In this case all uploads in the backend or in the form will be marked as faulty - the plugin should be deactivated first and a working connection should be established.
++
  {{figure image="en_error.png" width="400"}}
    If no connection can be established to the specified host, this message is displayed.
  {{/figure}}
@@ -21,39 +21,122 @@
  The following configuration parameters exist:
  ; host (Required)
--: Host name or IP address of the server running ClamAV-daemon. The standard port is {{smallcaps}}127.0.0.1{{/smallcaps}}, since ClamAV-daemon should be running on the same server as {{formcycle/}}.
++: Default value: //127.0.0.1//. Specifies the //IP// address of the //ClamAV//-daemon service to be used. The default value is //127.0.0.1// and thus uses a local //ClamAV//-daemon service.
  ; port (Required)
--: The default port of ClamAV-daemon is {{smallcaps}}3310{{/smallcaps}}. If the port is different, it must be specified here.
++: Default value: //3310//. Specifies the port of the //ClamAV//-daemon service to use. The default value should only be changed if this port is not available.
  ; file-source
--: By default, the element to be checked is transferred via Java's {{smallcaps}}InputStream{{/smallcaps}}. If the value {{smallcaps}}path{{/smallcaps}} is entered here, the path is used directly - whereby the ClamAV-daemon service must have root rights.
++: If the value //stream// is entered here (default value), the data of the file to be checked will be transferred directly to the //ClamAV//-daemon service. If the value //path// is entered here, scanning is done directly on the path - whereby the //ClamAV//-daemon service must have root rights for this.
--After saving, a ping test is automatically executed. If this fails, a corresponding message is displayed. In this case, all uploads in the backend or in the form are marked as faulty - the plugin should first be deactivated and a functioning connection established.
++{{info}}
++//ClamAV// is intended to run on Linux-based servers. Therefore, we cannot guarantee any other support.
++{{/info}}
--== ClamAV settings ==
--The following section discusses important configuration steps of ClamAV-Daemon. Our recommended scenario is to install {{formcycle/}} and the ClamAV-Daemon service on the same server.
++== Configuration //ClamAV// ==
--Since the actual virus scanning takes place separately from {{formcycle/}}, take care to keep the virus signature database up-to-date via {{smallcaps}}freshclam{{/smallcaps}}.
++The following section discusses installation and configuration of //ClamAV//. Our recommended scenario is to install {{formcycle/}} and the //ClamAV//-daemon service on the same server.
--This plugin transmits the elements to be examined via TCP, which is deactivated by default in ClamAV-daemon. To enable it, the configuration file: {{smallcaps}}/etc/clamav/clamd.conf{{/smallcaps}} has to be edited.
++=== Installation ===
--The following parameters have to be added to the file:
++To install //ClamAV// on a server, the following commands should be entered on the server.
--; TCPAddr (Required)
--: Shall be added and specified with the value {{smallcaps}}127.0.0.1{{/smallcaps}}.
--; TCPSocket (Required)
--: Shall be added and specified with the value {{smallcaps}}3310{{/smallcaps}} or different, if the port is occupied.
--; User
--: By default this is {{smallcaps}}clamav{{/smallcaps}} and has to be changed to {{smallcaps}}root{{/smallcaps}} to give root rights to the ClamAV-daemon service.
++//ClamAV// is the program that can scan files for viruses and is required for the use of //ClamAV//-daemon.
--{{figure image="en_tcp_test.png"}}
--  With the help of {{smallcaps}}netstat{{/smallcaps}} the TCP socket of the ClamAV-daemon service can be examined.
--{{/figure}}
++; Update the package list:
++; {{code language="shell"}} sudo apt-get update {{/code}}
--In order for this plugin to address the ClamAV-daemon service, the service has to be listening in the right place - in this case at {{smallcaps}}127.0.0.1:3310{{/smallcaps}}. This can be checked by the following command in the terminal:
++; Install //ClamAV// and //ClamAV//-daemon:
++; {{code language="shell"}} sudo apt-get install clamav clamav-daemon -y {{/code}}
--{{code language="shell"}}
--sudo netstat -anp | grep -E "(clam)"
--{{/code}}
++=== Update the virus signature database ===
++//freshclam// is automatically installed with //ClamAV// and is used to update the virus signature database.
++; Terminate the automatic //freshclam// process:
++; {{code language="shell"}} sudo systemctl stop clamav-freshclam {{/code}}
++
++; Manually update virus signature database:
++; {{code language="shell"}} sudo freshclam {{/code}}
++
++=== Configuration //ClamAV//-daemon ===
++
++//ClamAV//-daemon is the process running in the background on the server, which is addressed for the virus scan. This is done via TCP and must be configured accordingly.
++
++For this purpose, the configuration file under: // /etc/clamav/clamd.conf // should be adapted.
++
++Open the configuration file:
++; {{code language="shell"}} sudo nano /etc/clamav/clamd.conf {{/code}}
++
++Use the arrow keys to navigate to the end of the file.
++
++; Add //TCPAddr 127.0.0.1 //
++; Add //TCPSocket 3310 //
++
++{{lightbox image="en_clamd.conf.png"/}}
++
++; Specify root rights for //ClamAV//-daemon
++: To do this, the row //User clamav// has to be changed to //User root// in this file.
++
++Now you can save and exit with //Ctrl + X//. Confirm with //Y// and the Enter key.
++
++=== Starting the //ClamAV//-daemon Service ===
++
++Now the service can be started.
++
++: Start the //ClamAV//-daemon Service:
++; {{code language="shell"}} sudo systemctl start clamav-daemon.service {{/code}}
++
++=== Checking the availability of the service ===
++
++In order for this plugin to be able to address the //ClamAV//-daemon service, the service must be listening in the right place - in this case at //127.0.0.1:3310//. This can be checked in the server's terminal.
++
++Using //netstat// the TCP socket of the //ClamAV//-daemon service can be examined.
++; {{code language="shell"}} sudo netstat -anp | grep -E "(clam)" {{/code}}
++
++{{lightbox image="en_tcp_test.png"/}}
++
++If no line starting with //tcp// is seen or a different //host:port// combination is seen as //127.0.0.1:3310//, the configuration has to be checked again.
++
++== Example configuration ==
++
++An example configuration with the above default values:
++
++{{lightbox image="en_plugin.png"/}}
++
++== Usage ==
++
++As soon as a virus signature has been detected, the following message is displayed:
++
++{{lightbox image="en_virus_found.png"/}}
++
++=== Test file ===
++
++A common method for checking virus scanners is the //eicar.com// file.
++At any point this test file can be uploaded and after successful configuration the message shown above should be seen.
++
++; [[**Wikipedia**>>https://de.wikipedia.org/wiki/EICAR-Testdatei]]
++; [[**Download**>>https://www.eicar.org/download-anti-malware-testfile/]]
++
++=== Logging ===
++
++//ClamAV// creates logs which can be found under // /var/log/clamav/clamav.log //.
++
++For example, after uploading the //eicar.com// test file, the following entry can be seen in //clamav.log //:
++; {{code language="shell"}} Wed May 25 10:10:21 2022 -> instream(127.0.0.1@32984): Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND {{/code}}
++
++{{formcycle/}} logs can be found for this at // /formcycle-data/formcycle7/logs //.
++
++After uploading the //eicar.com// test file, for example, the following entry can be seen in //formcycle-errors-log //:
++; {{code language="shell"}} [WARN] [25-05-22 10:10:21,192] [ajp-nio-127.0.0.1-8009-exec-43] (MalwareScanner.java:211) - Scanner <fc.plugin.malware.scanner.clamAV. ClamAntiVirusFileScanner@7b2a4953> detected malware signature for file </home/fc/tomcat9/tmp/xima-temp/formcycle7/xfc-malware-scan/stream-scan12705251110052849842/data2383296604287452271>: {stream=[Win.Test.EICAR_HDB-1]} {{code}}
++; {{code language="shell"}} [ERROR] [25-05-22 10:10:21,207] [ajp-nio-127.0.0.1-8009-exec-43] (VirusScannerService.java:71) - Detected a virus {{/code}}
++
++== Version history ==
++
++**Version 1.0.1**
++
++* Optimisations for installation on server clusters
++
++**Version 1.0.0
++
++* Initial release
++