Scan Attachments For Viruses

This extension came about after some discussion of my previous extension:

https://vborg.vbsupport.ru/showthread.php?t=100933

That extension automatically zips files. Some users were concerned that this may allow a malicous user to upload a virus/trojan since the extension allows any file to be added to the archive. If you currently allow zip files to be uploaded, then the risk is already present with or without my zip extension.

I decided to write up this product that will scan all files uploaded (including archives) for viruses.

REQUIREMENTS:

Linux/Unix Server. Although it may be possible to run this on a Windows server, I have not tested it, and am unsure if it will work on that enviroment.

This extension REQUIRES that you install F-Prot on your server. All you really need is the command line scanner for workstations. The install is simple and does not require any compilation (at least it did not for me). You download the archive to your server, and un-tar it to a directory that VB will have access to. This does NOT require root access as no system files are modified. F-Prot is free for personal use, but your requirements may require a purchase. Please read the F-Prot license agreement for more details.

Safe Mode must be off. PHP must have access to the system command.

INSTALLATION

Installation of the product is simple, just install the product file in the admincp and then go to VBulletin Options -> Virus Scanning. Enter the COMPLETE path to F-Prot. For example:

/home/yoursite.com/www/somefolder/f-prot/f-prot

Please note, the name f-prot must be at the end of the path. This is the FILE NAME not the directory name.

You can test to see if it working by creating an eicar file:

http://www.eicar.org/anti_virus_test_file.htm

And try attaching it to a thread. Note, if you create a txt file, it will recognize it unless it is in an archive. The scanner understands that as a text file it is not a threat. Rename it to a .exe file if you want to test the archive scanning abilities.

The product will scan files inside of .zip, .cab, .tar, .gz, .izh and .arj files.

IF you are going to use this in conjuction with my zip extension, uninstall the zip plugin first, install this product, then re-install the zip plugin, this way the virus scan will happen before the attachments are archived.

I will support this as I can. Before you post any requests for help, please check your phpinfo (see maintenence in admincp) and make sure safe mode is off before posting here. If safemode is on, there really is not much I can do for you.

Please Click INSTALL!

[cheesegrits]

A single workstation license for f-prot for commercial use is only $29. If you can't afford $0.08c a day to protect your users ... well ... you probably aren't a commercial site and might as well use the freebie "home use" version!

Having said that, clamav is hands down a better product, and its free. So I certainly wouldn't object if Jafo happened to mod his mod to use it.

-- hugh

[cheesegrits]

Jafo,

For some reason I couldn't get the f-prot version of your mod to work - it just returns 126 regardless of what I'm scanning. I've tested on the command line, and f-prot itself is working fine, it recognizes eicar no problems.

So I took the liberty of changing your module to use the clamav API (phpclamavlib). It works fine. One nice feature of the clamav API is that the call returns the name of the virus it found, which I'm printing out in the error message.

Would you be interested in folding my changes into your module, and making it configurable between f-prot and clamav? If not, would you have any objections to me submitting a separate mod (something like vbClamBake!) with suitable props to you for the original coding?

I don't mind either way. The only issue I see is providing the instructions and support for people to get clamav and the API installed, which can be a little tricky. You may not want to open that can of worms.

I suppose I could use the clam command line instead, but this wouldn't tell us which virus was found. But it would mean the API wouldn't have to be installed, which is the biggest issue. Maybe it could be a three way choice - f-prot, clamav API or clamav command line.

Let me know what you think. I'm not trying to hijack your code here, I just much prefer clamav, and this seemed like the easiest way to give myself clamav scanning of uploads!

-- hugh

[Jafo232]

I would be interested in seeing your code. After I see it, I could probably give you a better answer.

[cheesegrits]

It couldn't be simpler ... it's essentially a one line change:

PHP Code:

$r = system($vbulletin->options['spath'] . ' -silent ' . $vbulletin->GPC['attachment']['tmp_name']["$x"],$t); 


... becomes ...

PHP Code:

$t = cl_scanfile($vbulletin->GPC['attachment']['tmp_name']["$x"]); 


Then if $t is not null, there was a virus. So the only other changes are in the test for $t, and adding the value of $t to the error message, to tell the user which virus they have.

Of course, there's the issue of installing clamav and the phpclamavlib module, which requires compilation and installing by steam. And of course because the API installs as a PHP module, it (typically) requires root access. So I'd see this particular modification as being for folk who run their own servers and already use clamav.

However, it would be trivial to change the original system() call to point to the 'clamscan' command line app instead, which would remove the need to install the php clamav API. It would just need a single upload of the clamscan binary, and I believe there are precompiled packages available for most flavors of UN*X. This would make it viable for hosted systems. The only real difference would be that it couldn't print the name of the virus it found.

In case I forgot to say it earlier, thanks for the module! Having virus scanning was an absolute show stopper for my new BB, and as a vB newbie, I wasn't looking forward to coding a module from scratch! I wouldn't even have made this change if f-prot had worked for me.

-- hugh

[Jafo232]

So basically that function needs to be compiled into PHP or did you put in a require/include anywhere in the code?

[cheesegrits]

It's a standard dynamic extension module, so it just needs editing of php.ini (or a file in /etc/php.d), and the module file goes in /usr/lib/php4 (or wherever). Doesn't need to be compiled in to PHP itself. And as a dynamic module, it doesnt need a requireinclude, the functions just become available as if they were built in to PHP. But it does obviously need root privs to install.

Of course if you used the clamscan command line via system(), instead of the module, it would just need that one executable somewhere httpd can find it. Although you'd still want the complete clamav install, for things like freshclam to keep the pattern db updated. Buit that's same-same for f-prot.

-- hugh

[ginger22]

How about correct work with last vBulletin releases?

[Alfa1]

Any chance on an update for vb 3.7?