On-Access scanning

[eezee]

We are in the process of deploying an FTP server and I have
been asked to look into this issue.

We need to know that if someone deposits a file with a virus
on our system, using either FTP or a local copy, that our McAfee
virus scanner will pick it up _before_ it is possible for any other
process (e.g. FTP) to even see the file.

I know that 'on-access' means that the scan is triggered by the
disk driver operations, but the question is which ones, and can
we guarantee that we won't have a partially scanned file on our
system that could be seen by another process before the on-access
scan is complete.


Hope this makes sense, and thanks for your help.

 

[David W. Hodgins]

We are in the process of deploying an FTP server and I have
been asked to look into this issue.
I know that 'on-access' means that the scan is triggered by the
disk driver operations, but the question is which ones, and can
we guarantee that we won't have a partially scanned file on our
system that could be seen by another process before the on-access
scan is complete.

On access scanning usually only scans existing files that are being
opened for read, or read-write access. To prevent the creation of
an infected files, some scanners have "on close" scanning, to auto
delete an infected file, that has just been created.

The problem you're most likely to encounter with an on access
scanner, is the ftp server hanging, when it tries to access an
infected file, and is prevented by the av software.

What is appropriate depends a lot on who will have upload access,
and the download audience.

If untrusted users will have upload access, I recommend having all
uploaded files put into a directory that is not accessible for download,
with a script that runs the av scanner on demand, before moving the
file to a directory accessible for download. Don't forget about the
day 0 problem, where a new virus is not recognized by the scanner.
Periodic scanning of the download directory should be used to remove
newly detectable viruses.

Regards, Dave Hodgins

 

[eezee]

If untrusted users will have upload access, I recommend having all
uploaded files put into a directory that is not accessible for download,
with a script that runs the av scanner on demand, before moving the
file to a directory accessible for download. Don't forget about the
day 0 problem, where a new virus is not recognized by the scanner.
Periodic scanning of the download directory should be used to remove
newly detectable viruses.

This is pretty close to what I have been thinking about. We will have
separate 'get' and 'put' folders. I wasn't sure if I would need to run a
'manual' scan on the files, or if I could just rely on 'On-Access' to do
everything for me.

Maybe I'll design it in as an option.

 

[Richard S. Westmoreland]

If untrusted users will have upload access, I recommend having all
uploaded files put into a directory that is not accessible for download,
with a script that runs the av scanner on demand, before moving the
file to a directory accessible for download.

That is the exact same advice I was going to give. Separate the
upload/download directories, and let a scheduled script move files between
them. When the script accesses the file, the on-access scanning will look
at it before making the move.