Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50888

Antivirus: Implement ClamAV virus scanning using unix sockets.

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      1. Go to ClamAV settings and modify 'runningmethod' so that it reads 'Unix domain socket'. Enter 'pathtounixsocket' according to your system preferences (/var/run/clamav/clamd.ctl on Debian linux). Save settings. If either unix domain sockets are not supported in your platform or you made a mistake in socket path, you will get an error and will not be able to save changes. Also, user running the clamav daemon needs write access to PHP's temporary files directory; you can achieve this by adding clamav user to www-data group on your system. Make sure that emailing is configured in Moodle to be able to receive error notifications.
      2. Open any file-picking interface and try to upload file not containing the virus, the file should be uploaded successfully.
      3. Open any file-picking interface and try to upload file containing the virus, this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded.
      4. Stop clamav daemon on your system. Open any file-picking interface and try to upload any file, the file should get uploaded. Admin should get email notification that antivirus is not configured correctly.

      Show
      1. Go to ClamAV settings and modify 'runningmethod' so that it reads 'Unix domain socket'. Enter 'pathtounixsocket' according to your system preferences (/var/run/clamav/clamd.ctl on Debian linux). Save settings. If either unix domain sockets are not supported in your platform or you made a mistake in socket path, you will get an error and will not be able to save changes. Also, user running the clamav daemon needs write access to PHP's temporary files directory; you can achieve this by adding clamav user to www-data group on your system. Make sure that emailing is configured in Moodle to be able to receive error notifications. 2. Open any file-picking interface and try to upload file not containing the virus , the file should be uploaded successfully. 3. Open any file-picking interface and try to upload file containing the virus , this could be EICAR test signature in the text file (see https://en.wikipedia.org/wiki/EICAR_test_file for details), you should get an exception on upload containing the message that your file contains the virus and can't be uploaded. 4. Stop clamav daemon on your system. Open any file-picking interface and try to upload any file, the file should get uploaded. Admin should get email notification that antivirus is not configured correctly.
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Epic Link:
    • Pull Master Branch:
      MDL-50888-master

      Description

      Using unix socket is a significantly faster way of scanning files than using command line exec call, but it is only available on unix-like systems. This will be implemented as an option for ClamAV plugin letting user choose if they want to use sockets or command line utility. Command line will remain the default option.

      How scanning works

      For more details on sockets commands that ClamAV accepts, see the manual. In this particular case we use SCAN command with full file path as parameter. ClamAV user should be able to access the file - adding clamav user to www-data group should do the trick. There is no easier way to resolve access unfortunately, granting read permission of uploaded file to everyone is not a good option, thus not used here. Potentially, FILDES command can be used to overcome the need to resolve access, but to use it, minimum php version needs to be bumped to 5.5 (socket_sendmsg function is required that implements https://wiki.php.net/rfc/sendrecvmsg needed to build bsd4.4 style package with file descriptor encapsulated).

      There is a potential possibility of using TCP sockets, e.g. if ClamAV is run on the different system, but it is not good performance-wise (all files will need to be network-transferred for scanning), thus, this option has not been implemented.

      Statistical analysis

      In order to verify a statistical significance between running methods the test script has been designed. The test has been run 100 times for each file of different size (1mb, 10mb, 50mb, 100mb, 500mb) and for each running method (command line and socket), the time taken to scan file has been recorded in milliseconds. General descriptive statistics and graph representing it is shown below.

        Command line Unix socket
      1 Mb M = 16.738, SD = 5.384 M = 9.360, SD = 2.15
      10 Mb M = 35.148, SD = 13.890 M = 29.533, SD = 5.270
      50 Mb M = 8.943, SD = 2.898 M = 0.928, SD = 0.229
      100 Mb M = 8.967, SD = 2.796 M = 0.619, SD = 0.334
      500 Mb M = 9.332, SD = 3.101 M = 1.312, SD = 0.388

      Two-sample t-test has been applied to groups of variables recorded for same file scanned using two different running methods. The result demonstrated significant difference at confidence interval of 95% in all compared groups of samples. See attached pdf for detailed results.

        Attachments

        1. pspp_stat.pdf
          31 kB
        2. image-2018-07-03-15-01-51-765.png
          image-2018-07-03-15-01-51-765.png
          33 kB
        3. image-2018-07-03-14-58-35-285.png
          image-2018-07-03-14-58-35-285.png
          12 kB
        4. image-2018-07-03-14-58-28-313.png
          image-2018-07-03-14-58-28-313.png
          12 kB
        5. clamav-deamon.PNG
          clamav-deamon.PNG
          36 kB
        6. clamav_stat.jpg
          clamav_stat.jpg
          42 kB

          Issue Links

            Activity

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  5/Dec/16