Virus scan of binary attachment

[TheTechArch]

Description

It is possible for orgs and users to attache binary files to instances of an app. We need to analyze if there is a need to perform virus scan of the binary files.

Likely to be wanted by NBIB as per comment:

PO statement:

Binary attachments shall be scanned for virus so that app owners and end users can have the confidence that binary attachments from Altinn have been scanned. This means that all binary attachments added to the app instance shall be checked for virus. After MVP there might be that we shall give the option for app owners to turn off virus scan, as we have already got an indication that app owners do not want us to do so. This however is not in scope for MVP and must be discussed with security team.

In scope

• Analyze if we need to perform virus scan or we can push that responsibility to the service owner.
• If needed, analyze what kind of products is available. (Open Source is the assumption)
• Is there any products in public cloud that can do this?

Acceptance criteria

• When an end user through UI or API is uploading one or more files, the attachment(s) is scanned for virus, if one or more files is identified as a file with virus, the end user should be notified that the file(s) was not uploaded as it was identified as file(s) with virus. It is accepted that all files are declined if only one of several files is infected.
• The implementation should not prevent us from expanding this functionality to only be for certain apps, meaning we might find out that the virus-check is something that the app-owner could decide themselves if they would like Altinn to perform or not.

Consideration

• Look at complete solutions that also

  • secure container building and deployments - for instance, https://anchore.com/ .
  • provide runtime detection
  • cost - how is the solution priced/scaled
  • easy to deploy and maintain
  • integrates with Sentinel/SIEM

• Possible products

  • https://www.attachmentscanner.com/
  • https://peterrombouts.nl/2019/04/15/scanning-blob-storage-for-viruses-with-azure-functions-and-docker/
  • https://www.clamav.net/
  • http://jasonhaley.com/post/Virus-Scan-File-Uploads-Using-Multi-Container-Web-App
  • Symantec Cloud Workload Protection for Storage

• Discarded

  • https://developers.virustotal.com/ - Not for commercial use.

• Other products

  • https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-storage-now-in-public-preview/
  • https://www.trendmicro.com/azure/
  • https://www.sophos.com/en-us/solutions/public-cloud/azure.aspx

Analysis

Internal link to analysis document

Tasks

• [x] Analyze if we need to perform virus scan - Yes, it is needed
• [ ] Decide possible product
• [ ] Define archticture
• [ ] Create POC task
• [ ] Create build task

[lorang92]

Could be a duplicate of Altinn/altinn-studio#1365 ? Or is related to at least

[IneF]

@lorang92 it is related. It was created after discussing Altinn/altinn-studio#1365

[TheTechArch]

@lorang92 they are kind of related, but also independend of each. It is seperate decisions. Server side validation we need to implement. Virus scan we can decide not to do

[lvbachmann]

Check with Kulturrådet if they expect us to do a virus scan. @helenekri

[helenekri]

See the slack channel with Kulturrådet for information regarding virus scan :)

[lvbachmann]

Goal for Epic: Analysis of possible solutions to a point where we're ready to pick one.

[SandGrainOne]

There will be a discussion/meeting related to this issue in August. Putting it on ice until then.

[TheTechArch]

@alt-how do we have recommended files to verify virus scan at service owner?

[FinnurO]

Kan dette være en løsning; https://github.com/Altinn/app-lib-dotnet/issues/143 Eventuelt høre med UDI hvordan de skannet opplastede filer i forbindelse med Karantenehotell appen.

[ghost]

Vi gjør en ny runde med vurdering av aktuelle antimalware-løsninger. Det er et behov fra sluttbrukere, vår side og tjenesteeier sin side at dette er på plass. Ved forrige gjennomgang krevde løsningene mye tilpasning for å kunne analysere filvedlegg. Det må også ses i sammenheng med migrering fra Altinn 2.

[josteitv]

@alt-how Så fint at dere gjør en ny vurdering. Er det konkludert på hvilken løsning man lander på?

Et punkt dere bør ta med i vurderingen, som ikke tidligere er nevnt i denne saken, er hvordan valgt løsning påvirker databehandleravtalen. Dersom vedlegg skal sendes til en ekstern aktør for virus-scanning, vil jeg tro at dette påvirker avtalene som allerede er på plass.

[erik-nygren]

Skatteetaten ønsker også denne funksjonaliteten.

[FinnurO]

Patentstyret må ha denne

[tba76]

Virus scan er nå tilgjengelig i produksjon :)

https://github.com/Altinn/altinn-file-scan