Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66222

Add admin options for how to handle detected viruses

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Waiting for peer review
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Future Dev
    • Fix Version/s: None
    • Component/s: Administration
    • Testing Instructions:
      Hide

      The patch introduce 2 features:

      1. An email address: receive notification when a infected file is detected
      2. Quarantine folder: store the infected files.

      Enable Clamav

      1. Install clamav, update definition database
      2. Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins 
      3. Specify path to clamscan: Site administration > Plugins > Antivirus plugins > ClamAV antivirus 

      Email address setting

      1. Set up email: https://docs.moodle.org/38/en/Mail_configuration
      2. Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins
      3. Specify "Antivirus alert email" to  receive notification
      4. Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes
      5. Upload the infected file (using Assignment Submission)

      Expected behavior:

      1. An email is send to the specified address with the details of the incidence.
      2. The incidence details should include filename, file size, content type, content hash, author, IP, REFERER, Date, and scanning result

      Scan files

      1. Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins
      2. Enable quarantine.
      3. Specify the ' Maximum quarantine time ':  5 minutes
      4. Upload the infected file
      5. Go To Site Admin > Report > Antivirus failures
      6. Download a zip file
      7. Download All zip files
      8. Delete a zip file
      9. Run the scheduled task " \core\task\antivirus_cleanup_task": https://docs.moodle.org/38/en/Scheduled_tasks#Running_individual_tasks

       

      Expected behavior:

      1. The downloaded zip file should include a *_details.html file and the infected file.
      2. The *_details.html should include  filename, author,  IP, REFERER, Date, and scanning result
      3. Downloaded "All zip files" should include all the  zip files in the table.
      4. Zip files of the incidence which happened more than 5 minutes earlier should be deleted
      5.  Deleting quarantined files does not remove the infected file/data records, so the records still be displayed in the table
      6. There is no action icons (download/delete) for records without physical file

       

      Email regression testing

      Error as virus emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Treat files like viruses'
      3. Now change the path to clam to something broken 'usr/bin/nothere'
      4. Now in another tab, upload a good file into the private files area.

      Expected behaviour

      1. An email will be received that looks very similar to the first email for an infected file.
      2. The upload will show an error saying that the file is infected.
      3. The header of the email will state 'Infected file detected'
      4. It will contain the error message returned from ClamAV: 'Clamav scanning has tried 1 time(s).
        ClamAV has failed to run. The return error message was " An error occured". Here is the output from ClamAV:' Followed by scan details.
      5. Only one email will be recieved, there are no duplicate messages for the error, and then for the infected file.

       

      Errors OK emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Treat files as OK'
      3. Now in another tab, upload a good file into the private files area.

      Expected behaviour:

      1. An email will be received that contains all of the same details as the above email.
      2. The upload will be allowed to go through.
      3. The header for the email will state 'Scanner error occurred'
      4. The subject for the email will state 'Scanner error occurred'
      5. The error message returned from ClamAV  will be displayed the same.

       

      Deny Upload emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Refuse upload, try again'
      3. Now in another tab, upload a good file into the private files area.

      Expected behaviour:

      1. An email will be received that contains all of the same details as the above email.
      2. The upload will be denied, and states an error, and to try again.
      3. The header for the email will state 'A scanner error was detected'
      4. The contenthash, filesize and filetype will all state unknown, as the file was not uploaded.
      5. The error message returned from ClamAV  will be displayed the same.

       

       

      Show
      The patch introduce 2 features: An email address: receive notification when a infected file is detected Quarantine folder: store the infected files. Enable Clamav Install clamav, update definition database Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins   Specify path to clamscan: Site administration > Plugins > Antivirus plugins > ClamAV antivirus   Email address setting Set up email: https://docs.moodle.org/38/en/Mail_configuration Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins Specify "Antivirus alert email" to  receive notification Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950 ) for your testing purposes Upload the infected file (using Assignment Submission) Expected behavior: An email is send to the specified address with the details of the incidence. The incidence details should include filename, file size, content type, content hash, author, IP, REFERER, Date, and scanning result Scan files Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins Enable quarantine. Specify the ' Maximum quarantine time ':  5 minutes Upload the infected file Go To Site Admin > Report > Antivirus failures Download a zip file Download All zip files Delete a zip file Run the scheduled task " \core\task\antivirus_cleanup_task": https://docs.moodle.org/38/en/Scheduled_tasks#Running_individual_tasks   Expected behavior: The downloaded zip file should include a *_details.html file and the infected file. The *_details.html should include  filename, author,  IP, REFERER, Date, and scanning result Downloaded "All zip files" should include all the  zip files in the table. Zip files of the incidence which happened more than 5 minutes earlier should be deleted  Deleting quarantined files does not remove the infected file/data records, so the records still be displayed in the table There is no action icons (download/delete) for records without physical file   Email regression testing Error as virus emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Treat files like viruses' Now change the path to clam to something broken 'usr/bin/nothere' Now in another tab, upload a good file into the private files area. Expected behaviour An email will be received that looks very similar to the first email for an infected file. The upload will show an error saying that the file is infected. The header of the email will state 'Infected file detected' It will contain the error message returned from ClamAV: 'Clamav scanning has tried 1 time(s). ClamAV has failed to run. The return error message was " An error occured". Here is the output from ClamAV:' Followed by scan details. Only one email will be recieved, there are no duplicate messages for the error, and then for the infected file.   Errors OK emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Treat files as OK' Now in another tab, upload a good file into the private files area. Expected behaviour: An email will be received that contains all of the same details as the above email. The upload will be allowed to go through. The header for the email will state 'Scanner error occurred' The subject for the email will state 'Scanner error occurred' The error message returned from ClamAV  will be displayed the same.   Deny Upload emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Refuse upload, try again' Now in another tab, upload a good file into the private files area. Expected behaviour: An email will be received that contains all of the same details as the above email. The upload will be denied, and states an error, and to try again. The header for the email will state 'A scanner error was detected' The contenthash, filesize and filetype will all state unknown, as the file was not uploaded. The error message returned from ClamAV  will be displayed the same.    
    • Pull Master Branch:
      MDL-66222-antivirus-reporting

      Description

      At the moment if a virus is detected then the file upload is stopped and that is the end of the process. We would like to add:

      a) a new admin setting which will email someone when this happens with details of the dud file

      b) and / or add a new call back so that other behaviors can be added, ie an admin tool that allows retrieval of the file for analysis

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              peterburnett Peter Burnett
              Reporter:
              brendanheywood Brendan Heywood
              Peer reviewer:
              Brendan Heywood
              Integrator:
              Andrew Nicols
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              4 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 15 minutes
                  1d 15m