RE: [Web Security] File Upload Virus Scanning

[Jabłoński, Paweł <PJablonski () ivmx pl>]

Hey,

There are many solutions for virus scanning the content being sent through HTTP protocol and easy to integrate with 
your JEE web application like finjan.com, trendmicro.com for example. I think you might also want considering of 
implementing some CGI based logic inside the shell, that is invoked per file to run a virus scan locally - in that case 
you can use a virus software dependent of the platform you're using. That gives you more flexibility. Write your web 
application logic in the way that it will know if a downloaded file was scanned with A/V locally (CGI) and access it 
with some trigger, or db based parameter.

As far as I can remember there's some Symantec solution for scanning files, API supported for Java. Called 
SymJavaAPI.jar or something like that. Try googling it also.

Paweł Jabłoński
IT Security Consultant
________________________________________
Od: listbounce () securityfocus com [listbounce () securityfocus com] w imieniu 0x4150 [0x4150 () gmail com]
Wysłano: 9 lipca 2010 20:13
Do: security-basics () securityfocus com; websecurity () webappsec org; webappsec () securityfocus com
Temat: [Web Security] File Upload Virus Scanning

All,

I am reviewing Java EE web application which allows uploads of various
file types, stores them in a directory, and then offers the same files
to other users for download. The files could be images (jpg, gif,
png), documents (doc, docx, xls, pdf), or text files(txt, csv).

My question is regarding virus scanning of these uploaded files. With
vulnerabilities being reported in formats like PDF, I would like to
protect the users and infrastructure as much as possible.

Are there any best practices for this?

What products (commercial or free) should I evaluate for this process?

Thanks in advance for any insight!



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------