Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66222

Add admin options for how to handle detected viruses

XMLWordPrintable

    • MOODLE_310_STABLE
    • MOODLE_310_STABLE
    • MDL-66222-antivirus-reporting
    • Hide

      The patch introduce 2 features:

      1. An email address: receive notification when a infected file is detected
      2. Quarantine folder: store the infected files.

      Enable Clamav

      1. Install clamav, update definition database
      2. Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins 
      3. Specify path to clamscan: Site administration > Plugins > Antivirus plugins > ClamAV antivirus 

      Email address setting

      1. Set up email: https://docs.moodle.org/38/en/Mail_configuration
      2. Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins
      3. Specify "Antivirus alert email" to  receive notification
      4. Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes
      5. Upload the infected file (using Assignment Submission)

      Expected behavior:

      1. An email is send to the specified address with the details of the incidence.
      2. The incidence details should include filename, file size, content type, content hash, author, IP, REFERER, Date, and scanning result

      Scan files

      1. Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins
      2. Enable quarantine.
      3. Specify the ' Maximum quarantine time ':  5 minutes
      4. Upload the infected file
      5. Go To Site Admin > Report > Antivirus failures
      6. Download a zip file
      7. Download All zip files
      8. Delete a zip file
      9. Run the scheduled task " \core\task\antivirus_cleanup_task": https://docs.moodle.org/38/en/Scheduled_tasks#Running_individual_tasks

       

      Expected behavior:

      1. The downloaded zip file should include a *_details.html file and the infected file.
      2. The *_details.html should include  filename, author,  IP, REFERER, Date, and scanning result
      3. Downloaded "All zip files" should include all the  zip files in the table.
      4. Zip files of the incidence which happened more than 5 minutes earlier should be deleted
      5.  Deleting quarantined files does not remove the infected file/data records, so the records still be displayed in the table
      6. There is no action icons (download/delete) for records without physical file

       

      Email regression testing

      Error as virus emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Treat files like viruses'
      3. Now change the path to clam to something broken 'usr/bin/nothere'
      4. Now in another tab, upload a good file into the private files area.

      Expected behaviour

      1. An email will be received that looks very similar to the first email for an infected file.
      2. The upload will show an error saying that the file is infected.
      3. The header of the email will state 'Infected file detected'
      4. It will contain the error message returned from ClamAV: 'Clamav scanning has tried 1 time(s).
        Path to ClamAV, /usr/bin/nothere, is invalid.
      5. Only one email will be recieved, there are no duplicate messages for the error, and then for the infected file.

       

      Errors OK emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Treat files as OK'
      3. Now in another tab, upload a good file into the private files area.

      Expected behaviour:

      1. An email will be received that contains all of the same details as the above email.
      2. The upload will be allowed to go through.
      3. The header for the email will state 'Scanner error occurred'
      4. The subject for the email will state 'Scanner error occurred'
      5. The error message returned from ClamAV  will be displayed the same.

       

      Deny Upload emails:

      1. Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV
      2. Set the 'On ClamAV failure' control to 'Refuse upload, try again'
      3. Now in another tab, upload a good file into the private files area.

      Expected behaviour:

      1. An email will be received that contains all of the same details as the above email.
      2. The upload will be denied, and states an error, and to try again.
      3. The header for the email will state 'A scanner error was detected'
      4. The contenthash, filesize and filetype will all state unknown, as the file was not uploaded.
      5. The error message returned from ClamAV  will be displayed the same.

       

       

      Show
      The patch introduce 2 features: An email address: receive notification when a infected file is detected Quarantine folder: store the infected files. Enable Clamav Install clamav, update definition database Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins   Specify path to clamscan: Site administration > Plugins > Antivirus plugins > ClamAV antivirus   Email address setting Set up email: https://docs.moodle.org/38/en/Mail_configuration Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins Specify "Antivirus alert email" to  receive notification Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950 ) for your testing purposes Upload the infected file (using Assignment Submission) Expected behavior: An email is send to the specified address with the details of the incidence. The incidence details should include filename, file size, content type, content hash, author, IP, REFERER, Date, and scanning result Scan files Go To Site Admin > Plugin > Antivirus > Manage Antivirus plugins Enable quarantine. Specify the ' Maximum quarantine time ':  5 minutes Upload the infected file Go To Site Admin > Report > Antivirus failures Download a zip file Download All zip files Delete a zip file Run the scheduled task " \core\task\antivirus_cleanup_task": https://docs.moodle.org/38/en/Scheduled_tasks#Running_individual_tasks   Expected behavior: The downloaded zip file should include a *_details.html file and the infected file. The *_details.html should include  filename, author,  IP, REFERER, Date, and scanning result Downloaded "All zip files" should include all the  zip files in the table. Zip files of the incidence which happened more than 5 minutes earlier should be deleted  Deleting quarantined files does not remove the infected file/data records, so the records still be displayed in the table There is no action icons (download/delete) for records without physical file   Email regression testing Error as virus emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Treat files like viruses' Now change the path to clam to something broken 'usr/bin/nothere' Now in another tab, upload a good file into the private files area. Expected behaviour An email will be received that looks very similar to the first email for an infected file. The upload will show an error saying that the file is infected. The header of the email will state 'Infected file detected' It will contain the error message returned from ClamAV: 'Clamav scanning has tried 1 time(s). Path to ClamAV, /usr/bin/nothere, is invalid. Only one email will be recieved, there are no duplicate messages for the error, and then for the infected file.   Errors OK emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Treat files as OK' Now in another tab, upload a good file into the private files area. Expected behaviour: An email will be received that contains all of the same details as the above email. The upload will be allowed to go through. The header for the email will state 'Scanner error occurred' The subject for the email will state 'Scanner error occurred' The error message returned from ClamAV  will be displayed the same.   Deny Upload emails: Visit the ClamAV virus settings at Site Administration > Antivirus > ClamAV Set the 'On ClamAV failure' control to 'Refuse upload, try again' Now in another tab, upload a good file into the private files area. Expected behaviour: An email will be received that contains all of the same details as the above email. The upload will be denied, and states an error, and to try again. The header for the email will state 'A scanner error was detected' The contenthash, filesize and filetype will all state unknown, as the file was not uploaded. The error message returned from ClamAV  will be displayed the same.    

      At the moment if a virus is detected then the file upload is stopped and that is the end of the process. We would like to add:

      a) a new admin setting which will email someone when this happens with details of the dud file

      b) and / or add a new call back so that other behaviors can be added, ie an admin tool that allows retrieval of the file for analysis

        1. eicarcom2.zip
          0.3 kB
        2. image-2020-03-19-17-15-29-452.png
          image-2020-03-19-17-15-29-452.png
          21 kB
        3. Screenshot_1.png
          Screenshot_1.png
          74 kB
        4. Screenshot_2.png
          Screenshot_2.png
          181 kB
        5. Screenshot_3.png
          Screenshot_3.png
          114 kB
        6. Screenshot_4.png
          Screenshot_4.png
          206 kB

            peterburnett Peter Burnett
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Andrew Lyons Andrew Lyons
            Janelle Barcega Janelle Barcega
            Votes:
            4 Vote for this issue
            Watchers:
            17 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 5 hours, 16 minutes
                1d 5h 16m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.