You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by bu...@apache.org on 2004/03/22 15:34:42 UTC

DO NOT REPLY [Bug 27193] - Documentation: illustrate how to integrate virus control

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27193>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=27193

Documentation: illustrate how to integrate virus control





------- Additional Comments From Brian.Ewins@btinternet.com  2004-03-22 14:34 -------
We use the common ability of virus scanners to quarantine infected files
immediately after they are written, as a minimal level of integration.
Introducing a slight delay in processing the files is enough to ensure that they
have been scanned. Our customers have various virus scanners and this has worked
for all of them.

Of course, this isn't ideal, as if the scanner is off, or slow, the file will
still be there next time you look. Using on-demand scanning is slightly better
as you'll never get data from the file until after the scanner has kicked in. To
test this mechanism, use the eicar test files.
http://www.eicar.org/anti_virus_test_file.htm

For a more complete solution, AV vendors seem to be aligning around ICAP
(http://www.i-cap.org/spec/rfc3507.txt) as a way of plugging in to HTTP servers.
ICAP modifies HTTP requests/responses, so you'd have a proxy that used ICAP to
talk to an enterprise AV product. Notification appears in headers of the
modified request, see:
http://www.i-cap.org/spec/draft-stecher-icap-subid-00.txt

So you MAY get an 'X-Infection-Found' header if there's a virus; ie what the
header /actually/ is may vary from vendor to vendor, but you should see
something. Hence, with ICAP available, best practice would be to test for the
presence of a configurable infection-flagging header prior to parsing the file
upload.
 
Of course you wouldn't have been able to figure that out from the ICAP forum's
wonderfully opaque and probably autogenerated 'about' page:
http://www.i-cap.org/about/ ... (is this a joke?)

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org