10

We have a web application for which I've been asked to add the ability to let users upload documents that will then be visible and downloadable by other users. Those documents will typically be images and audit documents that will initially be in PDF format but may extend to other office formats in the future. Each user that can upload or download files will have to authenticate first. The servers run Debian.

The way I see it, with this functionality, our server can potentially become a distribution vector for viruses through the following scenario:

  1. User 1 uploads a file that contains a virus,
  2. Server makes the file available for download,
  3. User 2 downloads the infected file and propagates the virus.

In order to mitigate this threat, I was thinking of implementing a quarantine mechanism where every file is uploaded to our server in a safe folder, checked and only made available for download once all checks have passed. The security checks I had in mind are:

  • Have a white list of file types we accept and reject any file not of that type,
  • Check that the type of the actual file is the same as the one advertised in the POST request and reject any file where there is a mismatch,
  • Run anti-virus on the file.

We may also include filters that are specific to given file types. For example, we could have images go through ImageMagick in order to store a "sanitised" version. Similarly, we should be able to partially parse document files to extract some information out of them and perform further checks.

My current ideas for implementing those checks are:

  • Check the file type by using file -i,
  • Use ClamAV as an anti-virus.

Are there other attack vectors I should think of or other checks I should implement?

Is ClamAV the correct tool to check files for viruses?

Bruno Girin
  • 103
  • 5
  • Your scheme is a good starting one. I don't feel `clamav` to be too bad an idea compared to some expensive commercial products. I would just suggest an easy checking to protect your Windows users: after your `file -i` suppress the files which extension doesn't correspond, suppress any file with multiple extension (ex. `image.htm.pdf`). – dan Dec 17 '14 at 00:35

1 Answers1

2

By itself, Clamav is not on par with the best commercial alternatives. For best results use multiple detection engines well rated in comparative reviews. Engines with the highest detection rate generally suffer from more false positives, so consider quarantining inconsistent results for later manual checks. Also available are automated sandbox analysis tools like cuckoo sandbox and online third party services like virustotal's API (the latest only for public documents, although other services may come with an NDA).

File types and extensions should be filtered on a white-list basis. Server-side languages often include a file recognition library which you can use in addition or as an alternative to file -i. Users should not be allowed to upload encrypted documents or ZIP files whose contents cannot be scanned.

Responsibility and accountability would help users thinking twice before being silly or careless. Ask them to report infections immediately. Keep track of those uploading malware, as they are more likely to do it again. Website usage patterns may reveal leaked credentials and malicious behaviour.

The single most effective mitigation towards overall security may be an awareness web page for users prepared in coordination with the appointed company department. This would prevent infections of user machines in the first place. Mind it is not a technical measure, it is outside your scope and it may minimize the perceived value of your other efforts.

Enos D'Andrea
  • 1,047
  • 5
  • 12
  • Your Windows/Linux/Mac line needs to be removed. It takes away from the awesome points you make in the rest of your answer. – schroeder Dec 16 '14 at 20:41
  • There is great debate on that fact, and the topic is more complex than you address, but that's besides the point. The OP is in a corporate environment. Users may not have control over which OS they run. Your line sticks out as an oddly unprofessional outlier to an otherwise wonderful answer. – schroeder Dec 16 '14 at 20:55
  • 1
    The users of the system are our customers' employees so not only do I not have control over their environment, how clued up about security their IT department is varies from customer to customer. I like the idea of tracking users who upload malware and making them accountable. As the system includes an alerting module, I could notify them if they upload a document that contains a virus and could escalate the notification to their admin if it happens repeatedly. – Bruno Girin Dec 17 '14 at 22:39
  • Those admins may want to be notified every time, as each infected document is the result of active malware undetected by the enterprise antivirus. – Enos D'Andrea Dec 18 '14 at 08:08
  • Possibly, it's a question of whether the admin has the ability and bandwidth to act on it. In practice, the way our system works, I can have a different alert policy depending on the customer and we could also do things like disable the upload functionality for a given customer if we have too many incidents with their users or do anything else based on that such as increase their support fees. – Bruno Girin Dec 18 '14 at 14:19