virus scanning of file while uploading (linux)

We allow users to upload files to our java web application. We are very security conscious as we go through security audits form large banks.

We have looked at the market and have tried out Metascan Online. We require an API so as to give a response to the user rather than just quarantine the virus

Has anyone had experience of Metascan, Scanii etc or other online scanners but would they satisfy a security audit?

Alternatively we have come across Symantec Protection Engine for Cloud Services which runs on the server. Are there alternatives to Norton and are there performance issues with AV running on the servers?

Also interested in comments on security audits regarding the necessity of having AV running on a Red Hat Linux server?

Thanks
julianc98Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
metascan (MS) is good as it differs due to many anti-malware engines support and most of it ia via command line (not GUI) and those are not easily available and configurable. Multiple AV is definitely good rather than relying on single AV to lower the false positive, has attempted 2-3 AV DIY but it is will not easy to scale and eventually online services such as VirusTotal (VT) is another option which also support APIs key and call to submit hashes. It is really the analysis environment or catch hole you are dealing with suspected files...

But as in all signature based engine, MS is also AV driven so w/o latest signature, it is missing the visibility though some AV has still the behaviour context to alert on anomalies. Other consideration is to seek for fuzzy hashing like ssdeep to strike threshold closeness checks to similar or cluster of malware family for suspected files and artefact.

Of course if URL scanning is not of interest, that is not an issue with MS and I believe it can be built as on-premise (appliance or even virtual machines). Otherwise VT has an edge for URL scan and network packet capture analysis....Other for MS having to upload and scan is 80MB is already bigger than VT too. MS allow ading engines as required for sizeable SME as compare to others that may be fixed like VT. More not necessarily is effective accurate as it also creates more noises - key is to have accurate comparison.

There ar emultiple of online sandbox scan analysis service free too, but flexibility to supplement and augment your premise security appliance or server will be more suited by MS..


Coming back, for compliance, you likely be looking at Gears which uses MS. The Gears can be in appliance and endpoint machine to uses up to 40 anti-malware engines from MS, specifically for deployed client machine to scan a device's active programs (running processes) once per day
By creating a Gears policy that matches your organization’s HIPAA, SOX or PCI-DSS requirements, you can meet regulatory compliance requirements without expensive industry-specific software solutions. The unique architecture of the Gears product easily allows remote monitoring and compliance auditing for situations like branch offices, or registered investment advisors. This can help automate the compliance and auditing requirements for the SEC’s rule 30 of regulation S-P (17 CFR 248.30).

cover the HIPAA Security Standards compliance policy for PCs with Gears:
 •User authentication §164.312(a)(2)(i)
 •Automatic device lock-out §164.312(a)(2)(iii)
 •Disk and data encryption §164.312(a)(2)(iv)
 •Audit controls §164.312(b)
https://www.opswat.com/blog/regulated-industries-can-use-byod
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
julianc98Author Commented:
Thanks for your comments.

We have come across Calm AV. Has anyboydy had experience of using Clam AV on RHEL 6 to scan uploaded files and to give a response to the user there is a virus in the file etc.
0
btanExec ConsultantCommented:
In fact, clamav is pretty the standard scanner for Linux, and it supports various OS too  (http://www.clamav.net/doc/install.html#requirements). It is also part of the VirusTotal list of AV.

Typically, if using online services, I will instead scan with VirusTotal. To clarify, clamav is not a real-time virus scanner (does not scan when a file is read or written), but can be used with other applications (see "Alternate Versions of ClamAV" under http://www.clamav.net/download.html). It is quite flexible and adopted by other appls and even you can build owncloud with clamav apps installed (https://doc.owncloud.org/server/7.0/admin_manual/configuration/antivirus_configuration.html)

However, coming back to reliability, clamav's inspection is simple signature hash check so do not expect great behavioural or heuristic checks in like of anti-malware can offers. But it can do scan faster as compare to other if going for large list of file. If it is an online support then I do see it transparent but if building your own server then the key is to make sure that update of the signatures is done timely e.g. even to extend of every hour whereby each clamav server poll the signature updates from a local installed server or online update service. There can still be false positive like any AV esp if there is corrupted hash string or misconfiguration or lack of updated copy of signature listing.
•The last CVD update crashed my ClamAV installation. Why?
Before publishing a CVD update, we verify that it can be correctly loaded by the last two stable release series of ClamAV.

•The last CVD update detects a lot of false positives on my system. Why?
Before publishing a CVD update, we test it for false positives using the latest stable release of ClamAV. If you want to avoid problems with false positives, you must run the latest stable version of ClamAV.

•I tried to submit a sample through the web interface, but it said the sample is already recognized by ClamAV. My clamscan tells me it’s not. I have already updated my database and ClamAV engine, what’s wrong with my setup?
Please run clamscan with the --detect-broken option. Also check that freshclam and clamscan are using the same path for storing/reading the database.
0
gheistCommented:
0
btanExec ConsultantCommented:
in fact, a common installation, if to upload to clamav engine (separate server), it can be via icap call. The RedHat EL 6 has icap  module for this
An implementation of an ICAP server  
Description :
 C-icap is an implementation of an ICAP server. It can be used with HTTP
proxies that support the ICAP protocol to implement content adaptation
and filtering services. This package provides additional service modules
for c-icap.  
http://rpm.pbone.net/index.php3/stat/4/idpl/25736062/dir/redhat_el_6/com/c-icap-modules-0.3.2-1.el6.pp.i686.rpm.html

Overall for clamAV, works with couple of web supported services too like web proxy (squid), web content filter (danguardian) and AV scan (ClamAV itself)
https://sathisharthars.wordpress.com/2013/07/31/configuring-proxy-server-with-antivirus-squidclamavsquidguarddansguardian/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.