Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71627

Add check api for anti virus and optionally remove admin notifications

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      This patch introduces 2 features and 1 other change:
      1 - A antivirus status check which will show as ERROR (with additional information) when there has been a 'recent' scan error
          1.1 - 'Recent' is determined by a `threshold` value set in "Site administration > Plugins > Antivirus plugins > Manage antivirus plugins", which has been defaulted to 20 days
      2 - A new setting 'Notify Level' which will determine what types of notifications are sent as alerts. Previously this would send all types, but now the user can determine between alerts for 'threats' or alerts for 'threats and errors'. This defaults to notifying for detected threats only.
      3 - Scan errors will now create a log entry (/report/loglive/index.php or /report/log/index.php with the 'Site errors' filter)
       
      Pre-requisites:

      • Have clamav installed on the system, and its database updated via running `freshclam`
      • Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes
      • Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins
         

      Test INFO status for antivirus (feature #1)

      • From a clean install go to `/report/status`
      • Verify the `Status` of the `Antivirus` check is of type INFO and has the Summary of 'No antivirus scanners are currently enabled'
         

      Test OK status for antivirus (feature #1)

      • Click on `Manage antivirus plugins` link which should be an `Action` for the aforementioned item
      • Enable "ClamAV Antivirus"
      • Go back to the `/report/status` page
      • Verify the `Status` of the `Antivirus` check has changed to OK and has the Summary of '1 antivirus scanner(s) enabled, no issues have been detected in the last 20 days'
         

      Testing ERROR status for antivirus (feature #1, #2)

      Scan Errors

      • Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav`
      • Update `Command Line` path to `/usr/bin/clamscannothere`
      • Upload the infected file (e.g. via Assignment submission)
         

      Check logs at `/report/loglive` (dependency for feature #1, feature #3)

      • You should see a new log entry with `Event Name` equal to `File scanner error`
         

      Check status page `/report/status` (feature #1)

      • You should see an error detected, and the count has gone up by one. You should also see an indication of the period of time the check is measured against.
         

      Check NO emails have been sent for this error (feature #2)

      • You should not receive any emails when this was triggered, due to the default setting of only notifying when threats are detected
         

      Testing scanner error notifications (feature #2)

      • Go to `/admin/settings.php?section=manageantiviruses`
      • Change the default notify level to `Notify on threats and scan issues`
      • Re-upload the file again
      • You should receive an email with at least the following contents "A scanner error occured", the name of the file you tried uploading and additional information about the request
         

      Threat detected

      • Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav`
      • Update `Command Line` path to `/usr/bin/clamscan` (or where your clamscan binary is)
      • Upload the infected file again (e.g. via Assignment submission)
         

      Check logs at `/report/loglive` (current behaviour)

      • You should see a new log entry with `Event Name` equal to `File Infected`
         

      Check status page `/report/status` (feature #1)

      • You should see an error detected, but the count has stayed the same (since this only tracks scanner issues, not detected threats).
         

      Check that an email has been sent for this detected threat (current behaviour, checking feature #2)

      • You should receive an email which includes the contents `Infected file detected`
      Show
      This patch introduces 2 features and 1 other change: 1 - A antivirus status check which will show as ERROR (with additional information) when there has been a 'recent' scan error     1.1 - 'Recent' is determined by a `threshold` value set in "Site administration > Plugins > Antivirus plugins > Manage antivirus plugins", which has been defaulted to 20 days 2 - A new setting 'Notify Level' which will determine what types of notifications are sent as alerts. Previously this would send all types, but now the user can determine between alerts for 'threats' or alerts for 'threats and errors'. This defaults to notifying for detected threats only. 3 - Scan errors will now create a log entry (/report/loglive/index.php or /report/log/index.php with the 'Site errors' filter)   Pre-requisites: Have clamav installed on the system, and its database updated via running `freshclam` Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes Enable clamav on Moodle site: Site administration > Plugins > Antivirus plugins > Manage antivirus plugins   Test INFO status for antivirus (feature #1) From a clean install go to `/report/status` Verify the `Status` of the `Antivirus` check is of type INFO and has the Summary of 'No antivirus scanners are currently enabled'   Test OK status for antivirus (feature #1) Click on `Manage antivirus plugins` link which should be an `Action` for the aforementioned item Enable "ClamAV Antivirus" Go back to the `/report/status` page Verify the `Status` of the `Antivirus` check has changed to OK and has the Summary of '1 antivirus scanner(s) enabled, no issues have been detected in the last 20 days'   Testing ERROR status for antivirus (feature #1, #2) Scan Errors Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav` Update `Command Line` path to `/usr/bin/clamscannothere` Upload the infected file (e.g. via Assignment submission)   Check logs at `/report/loglive` (dependency for feature #1, feature #3) You should see a new log entry with `Event Name` equal to `File scanner error`   Check status page `/report/status` (feature #1) You should see an error detected, and the count has gone up by one. You should also see an indication of the period of time the check is measured against.   Check NO emails have been sent for this error (feature #2) You should not receive any emails when this was triggered, due to the default setting of only notifying when threats are detected   Testing scanner error notifications (feature #2) Go to `/admin/settings.php?section=manageantiviruses` Change the default notify level to `Notify on threats and scan issues` Re-upload the file again You should receive an email with at least the following contents "A scanner error occured", the name of the file you tried uploading and additional information about the request   Threat detected Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav` Update `Command Line` path to `/usr/bin/clamscan` (or where your clamscan binary is) Upload the infected file again (e.g. via Assignment submission)   Check logs at `/report/loglive` (current behaviour) You should see a new log entry with `Event Name` equal to `File Infected`   Check status page `/report/status` (feature #1) You should see an error detected, but the count has stayed the same (since this only tracks scanner issues, not detected threats).   Check that an email has been sent for this detected threat (current behaviour, checking feature #2) You should receive an email which includes the contents `Infected file detected`
    • Pull from Repository:
    • Pull Master Branch:
      MDL-71627-add-antivirus-check-api-and-notification-levels

      Description

      When there is some sort of inf failure for an underlying anti virus service an the admin notifications are on then you just get a stream of emails which isn't helpful.

      So proposing:

      1) Add a new check api so that if any upload fails an anti virus check for a reason which isn't an actual virus, ie then store a timestamp somewhere

      2) If the timestamp is within some recency threshold then this will alert. A value like 20 mins is probably a sane value in production. In any high volume site this will alert constantly as uploads. The threshold can be an admin setting

      3) There also needs to be some convenient way to turn off all the notifications that were about the virus service while still allowing notifications about actual virus detection. So proposing to add a new admin setting notifylevel. 

      Ideally all of this is done at the anti virus system level and not at each antivirus plugin level.

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              peterburnett Peter Burnett
              Reporter:
              brendanheywood Brendan Heywood
              Peer reviewer:
              Peter Burnett Peter Burnett
              Participants:
              Component watchers:
              Ruslan Kabalin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: