Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50888

Antivirus: Implement ClamAV virus scanning using unix sockets.

XMLWordPrintable

    • MOODLE_30_STABLE, MOODLE_32_STABLE
    • MOODLE_32_STABLE
    • MDL-50888-master
    • Hide

      1. Go to ClamAV settings and modify 'runningmethod' so that it reads 'Unix domain socket'. Enter 'pathtounixsocket' according to your system preferences (/var/run/clamav/clamd.ctl on Debian linux). Save settings. If either unix domain sockets are not supported in your platform or you made a mistake in socket path, you will get an error and will not be able to save changes. Also, user running the clamav daemon needs write access to PHP's temporary files directory; you can achieve this by adding clamav user to www-data group on your system. Make sure that emailing is configured in Moodle to be able to receive error notifications.
      2. Open any file-picking interface and try to upload file not containing the virus, the file should be uploaded successfully.
      3. Open any file-picking interface and try to upload file containing the virus, this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded.
      4. Stop clamav daemon on your system. Open any file-picking interface and try to upload any file, the file should get uploaded. Admin should get email notification that antivirus is not configured correctly.

      Show
      1. Go to ClamAV settings and modify 'runningmethod' so that it reads 'Unix domain socket'. Enter 'pathtounixsocket' according to your system preferences (/var/run/clamav/clamd.ctl on Debian linux). Save settings. If either unix domain sockets are not supported in your platform or you made a mistake in socket path, you will get an error and will not be able to save changes. Also, user running the clamav daemon needs write access to PHP's temporary files directory; you can achieve this by adding clamav user to www-data group on your system. Make sure that emailing is configured in Moodle to be able to receive error notifications. 2. Open any file-picking interface and try to upload file not containing the virus , the file should be uploaded successfully. 3. Open any file-picking interface and try to upload file containing the virus , this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded. 4. Stop clamav daemon on your system. Open any file-picking interface and try to upload any file, the file should get uploaded. Admin should get email notification that antivirus is not configured correctly.

      Using unix socket is a significantly faster way of scanning files than using command line exec call, but it is only available on unix-like systems. This will be implemented as an option for ClamAV plugin letting user choose if they want to use sockets or command line utility. Command line will remain the default option.

      How scanning works

      For more details on sockets commands that ClamAV accepts, see the manual. In this particular case we use SCAN command with full file path as parameter. ClamAV user should be able to access the file - adding clamav user to www-data group should do the trick. There is no easier way to resolve access unfortunately, granting read permission of uploaded file to everyone is not a good option, thus not used here. Potentially, FILDES command can be used to overcome the need to resolve access, but to use it, minimum php version needs to be bumped to 5.5 (socket_sendmsg function is required that implements https://wiki.php.net/rfc/sendrecvmsg needed to build bsd4.4 style package with file descriptor encapsulated).

      There is a potential possibility of using TCP sockets, e.g. if ClamAV is run on the different system, but it is not good performance-wise (all files will need to be network-transferred for scanning), thus, this option has not been implemented.

      Statistical analysis

      In order to verify a statistical significance between running methods the test script has been designed. The test has been run 100 times for each file of different size (1mb, 10mb, 50mb, 100mb, 500mb) and for each running method (command line and socket), the time taken to scan file has been recorded in milliseconds. General descriptive statistics and graph representing it is shown below.

        Command line Unix socket
      1 Mb M = 16.738, SD = 5.384 M = 9.360, SD = 2.15
      10 Mb M = 35.148, SD = 13.890 M = 29.533, SD = 5.270
      50 Mb M = 8.943, SD = 2.898 M = 0.928, SD = 0.229
      100 Mb M = 8.967, SD = 2.796 M = 0.619, SD = 0.334
      500 Mb M = 9.332, SD = 3.101 M = 1.312, SD = 0.388

      Two-sample t-test has been applied to groups of variables recorded for same file scanned using two different running methods. The result demonstrated significant difference at confidence interval of 95% in all compared groups of samples. See attached pdf for detailed results.

        1. clamav_stat.jpg
          clamav_stat.jpg
          42 kB
        2. clamav-deamon.PNG
          clamav-deamon.PNG
          36 kB
        3. image-2018-07-03-14-58-28-313.png
          image-2018-07-03-14-58-28-313.png
          12 kB
        4. image-2018-07-03-14-58-35-285.png
          image-2018-07-03-14-58-35-285.png
          12 kB
        5. image-2018-07-03-15-01-51-765.png
          image-2018-07-03-15-01-51-765.png
          33 kB
        6. pspp_stat.pdf
          31 kB

            kabalin Ruslan Kabalin
            kabalin Ruslan Kabalin
            cameron1729 cameron1729
            Andrew Lyons Andrew Lyons
            Rajesh Taneja Rajesh Taneja
            Votes:
            3 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.