Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71627

Add check api for anti virus and optionally remove admin notifications

XMLWordPrintable

    • MOODLE_400_STABLE
    • MOODLE_400_STABLE
    • MDL-71627-add-antivirus-check-api-and-notification-levels
    • Hide

      This patch introduces 2 features and 1 other change:
      1 - A antivirus status check which will show as ERROR (with additional information) when there has been a 'recent' scan error
      1.1 - 'Recent' is determined by a `threshold` value set in "Site administration > Plugins > Antivirus plugins > Manage antivirus plugins", which has been defaulted to 20 days
      2 - A new setting 'Notify Level' which will determine what types of notifications are sent as alerts. Previously this would send all types, but now the user can determine between alerts for 'threats' or alerts for 'threats and errors'. This defaults to notifying for all issues (detected threats and scanner errors).
      3 - Scan errors will now create a log entry (/report/loglive/index.php or /report/log/index.php with the 'Site errors' filter)

      Pre-requisites:

      • Have clamav installed on the system, and its database updated via running `freshclam`. Alternatively can use docker image, by running this command and wait till all the updates happen:

        docker run --name=clam --rm -p 3310:3310 mk0x/docker-clamav
        

      • Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes
      • To have real SMTP mail working or, alternatively, use MailCatcher to verify that all the expected mails are sent.

      Test INFO status for antivirus (feature #1)

      • From a clean install go to `/report/status`
      • Verify the `Status` of the `Antivirus` check is of type N/A (not available) and has the Summary of 'No antivirus scanners are currently enabled'

      Test OK status for antivirus (feature #1)

      • Click on `Manage antivirus plugins` link which should be an `Action` for the aforementioned item
      • Enable "ClamAV Antivirus" (Site administration > Plugins > Antivirus plugins > Manage antivirus plugins)
      • Go back to the `/report/status` page
      • Verify the `Status` of the `Antivirus` check has changed to OK and has the Summary of '1 antivirus scanner(s) enabled, no issues have been detected in the last 20 days'

      Testing ERROR status for antivirus (feature #1, #2)

      Scan Errors

      • Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav`
      • Update `Command Line` path to `/usr/bin/clamscannothere`
      • Go to `/admin/settings.php?section=manageantiviruses`
      • Change the default notify level to `Notify when threats detected`
      • Upload the infected file (e.g. via Assignment submission)
      • You should see a dialog with text: "there is a problem with Antivirus scanning at the moment. Your xxxx file has not been uploaded". Close it.

      Check logs at `/report/loglive` (dependency for feature #1, feature #3)

      • You should see a new log entry with `Event Name` equal to `File scanner error`

      Check status page `/report/status` (feature #1)

      • You should see an error detected, and the count has gone up by one. You should also see an indication of the period of time the check is measured against.

      Check NO emails have been sent for this error (feature #2)

      • You should not receive any emails when this was triggered, due to the current setting of only notifying when threats are detected

      Testing scanner error notifications (feature #2)

      • Go to `/admin/settings.php?section=manageantiviruses`
      • Change the notify level to `Notify on threats and scan issues`
      • Re-upload the file again
      • You should receive an email with at least the following contents "A scanner error occured", the name of the file you tried uploading and additional information about the request

      Threat detected

      • Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav`
      • Update `Command Line` path to `/usr/bin/clamscan` (or where your clamscan binary is) or, if using a docker instance, setup "TCP socket", hostname = localhost and port = 3310.
      • Upload the infected file again (e.g. via Assignment submission)

      Check logs at `/report/loglive` (current behaviour)

      • You should see a new log entry with `Event Name` equal to `File Infected`

      Check status page `/report/status` (feature #1)

      • You should see an error detected, but the count has stayed the same (since this only tracks scanner issues, not detected threats).

      Check that an email has been sent for this detected threat (current behaviour, checking feature #2)

      • You should receive an email which includes the contents `Infected file detected`
      Show
      This patch introduces 2 features and 1 other change: 1 - A antivirus status check which will show as ERROR (with additional information) when there has been a 'recent' scan error 1.1 - 'Recent' is determined by a `threshold` value set in "Site administration > Plugins > Antivirus plugins > Manage antivirus plugins", which has been defaulted to 20 days 2 - A new setting 'Notify Level' which will determine what types of notifications are sent as alerts. Previously this would send all types, but now the user can determine between alerts for 'threats' or alerts for 'threats and errors'. This defaults to notifying for all issues (detected threats and scanner errors). 3 - Scan errors will now create a log entry (/report/loglive/index.php or /report/log/index.php with the 'Site errors' filter) Pre-requisites: Have clamav installed on the system, and its database updated via running `freshclam`. Alternatively can use docker image, by running this command and wait till all the updates happen: docker run --name=clam --rm -p 3310:3310 mk0x/docker-clamav Download the attached eiacarcom2.zip file ( or https://www.eicar.org/?page_id=3950) for your testing purposes To have real SMTP mail working or, alternatively, use MailCatcher to verify that all the expected mails are sent. Test INFO status for antivirus (feature #1) From a clean install go to `/report/status` Verify the `Status` of the `Antivirus` check is of type N/A (not available) and has the Summary of 'No antivirus scanners are currently enabled' Test OK status for antivirus (feature #1) Click on `Manage antivirus plugins` link which should be an `Action` for the aforementioned item Enable "ClamAV Antivirus" (Site administration > Plugins > Antivirus plugins > Manage antivirus plugins) Go back to the `/report/status` page Verify the `Status` of the `Antivirus` check has changed to OK and has the Summary of '1 antivirus scanner(s) enabled, no issues have been detected in the last 20 days' Testing ERROR status for antivirus (feature #1, #2) Scan Errors Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav` Update `Command Line` path to `/usr/bin/clamscannothere` Go to `/admin/settings.php?section=manageantiviruses` Change the default notify level to `Notify when threats detected` Upload the infected file (e.g. via Assignment submission) You should see a dialog with text: "there is a problem with Antivirus scanning at the moment. Your xxxx file has not been uploaded". Close it. Check logs at `/report/loglive` (dependency for feature #1, feature #3) You should see a new log entry with `Event Name` equal to `File scanner error` Check status page `/report/status` (feature #1) You should see an error detected, and the count has gone up by one. You should also see an indication of the period of time the check is measured against. Check NO emails have been sent for this error (feature #2) You should not receive any emails when this was triggered, due to the current setting of only notifying when threats are detected Testing scanner error notifications (feature #2) Go to `/admin/settings.php?section=manageantiviruses` Change the notify level to `Notify on threats and scan issues` Re-upload the file again You should receive an email with at least the following contents "A scanner error occured", the name of the file you tried uploading and additional information about the request Threat detected Go to ClamAV settings `/admin/settings.php?section=antivirussettingsclamav` Update `Command Line` path to `/usr/bin/clamscan` (or where your clamscan binary is) or, if using a docker instance, setup "TCP socket", hostname = localhost and port = 3310. Upload the infected file again (e.g. via Assignment submission) Check logs at `/report/loglive` (current behaviour) You should see a new log entry with `Event Name` equal to `File Infected` Check status page `/report/status` (feature #1) You should see an error detected, but the count has stayed the same (since this only tracks scanner issues, not detected threats). Check that an email has been sent for this detected threat (current behaviour, checking feature #2) You should receive an email which includes the contents `Infected file detected`

      When there is some sort of inf failure for an underlying anti virus service an the admin notifications are on then you just get a stream of emails which isn't helpful.

      So proposing:

      1) Add a new check api so that if any upload fails an anti virus check for a reason which isn't an actual virus, ie then store a timestamp somewhere

      2) If the timestamp is within some recency threshold then this will alert. A value like 20 mins is probably a sane value in production. In any high volume site this will alert constantly as uploads. The threshold can be an admin setting

      3) There also needs to be some convenient way to turn off all the notifications that were about the virus service while still allowing notifications about actual virus detection. So proposing to add a new admin setting notifylevel. 

      Ideally all of this is done at the anti virus system level and not at each antivirus plugin level.

       

       

            kevinpham Kevin Pham
            brendanheywood Brendan Heywood
            Peter Burnett Peter Burnett
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Angelia Dela Cruz Angelia Dela Cruz
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 30 minutes
                2h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.