ClamAV Scan Plugin
Scans attachments for viruses during upload using ClamAV
This plugin intercepts each attachment during upload and passes the content of
the attachment to the
daemon for virus scanning. The attachment is
only saved if the virus scan does not detect any threats.
From the description of ClamAV at http://www.clamav.net
ClamAV is an open source (GPL) antivirus engine designed for detecting
Trojans, viruses, malware and other malicious threats. It is the de facto
standard for mail gateway scanning. It provides a high performance
mutli-threaded scanning daemon, command line utilities for on demand file
scanning, and an intelligent tool for automatic signature updates. The core
ClamAV library provides numerous file format detection mechanisms, file
unpacking support, archive support, and multiple signature languages for
No changes to existing topics are required by this plugin. Once the plugin is enabled, attachments will be scanned during upload. If a virus or other threat is detected, the upload will thow an exception, and the attachment will not be saved. The scan is performed before the attachment is saved to disk.
This plugin is also able to scan the topic text prior to save. This enables scanning for embedded MS Script encoded threats and for certain sensitive data formats such as credit card numbers and social security numbers. See the ClamAV documentation on HTML scanning and the Data Loss Prevention (DLP) module for further information.
This macro returns status information from the
daemon. Or reports any
failure messages if unable to connect to the clamd socket.
Scanning existing attachments.
The current attachments and attachment rcs files of an existing topic can be scanned using a rest handler. Each attachment and corresponding rcs file if it exists is passed to clamd for scanning. Results of the scan are reported back in the rest results.
All attachments and the corresponding rcs
files of a topic are scanned. There is no facility to request scan of an individual attachment.
This operation is restricted to users in the Admin group
cd [Foswiki/bin] directory
./rest /ClamAVScanPlugin/scan -topic System.PatternSkin
Reloading the Virus Signatures.
This plugin includes a rest handler to force reload of the virus signatures. This operation is restricted to users in the Admin group. The plugin sends a command to the clamd daemon to request the reload.
Note that reloading the signatures does not download newer signatures from ClamAV. It only reloads the existing signature files into the clamd daemon.
This plugin does not use any preferences. All configuration is done using configure
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available in
, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions
for more help.
This plugin depends upon a properly configured and operational version of the
daemon. Actual scans are executed by the clamd daemon. ClamAV must be local to the Foswiki system.
This plugin uses the following settings:
- The unix socket used to communicate with the
clamd daemon. Defaults to
- Should attach be blocked if clamd is unavailable to scan attachments. If this option is enabled, any attempt to attach a file will result in an error when clamd is not available. Default is disabled - Attachments will be added without scanning if
clamd is unavailable.
- ClamAV can perform HTML scanning for certain embedded script threats. It can also perform "Data Loss Prevention". When DLP is enabled in clamd.conf, it will detect certain data such as social security numbers and credit card numbers in content. Default is disabled. Enable this option to perform scanning of topic data for structured data and embedded HTML threats. If a threat is detected, ClamAV will block the topic save.
Caution: In addition to these settings, the
StreamMaxLength needs to be large enough to accommodate the largest Foswiki setting for ATTACHFILESIZELIMIT. Currently 100000 in this web, this value can be set per web.
|File::Find||>=0||required for lib/Foswiki/Plugins/ClamAVScanPlugin/ClamAV.pm|
|IO::Socket||>=0||required for lib/Foswiki/Plugins/ClamAVScanPlugin/ClamAV.pm|
|Socket::PassAccessRights||>=0||optional passes file descriptors to clamd for access rights|
is "optional" however on most systems this module will be required for correct operation. The
daemon must have full access to each scanned file. This module allows a file descriptor to be passed to clamd ensuring full access. If this module is not installed, the file name
will be passed to the clamd daemon. If insufficient rights are available, the scan will fail.
(On Foswiki 1.1, scans during attachment upload will still work, as the stream is passed to clamd. On Foswiki 1.0, the temporary file name will be passed resulting in possible access rights issues.)