lonesomewalker
commented
3 years ago We also should keep an eye to commercial solutions like this: https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-file-storage-security.html
So somewhat API-like to say, uploads will be stored temporarily, uploaded to scanner. Then we have 2 options: If something found, delete and give user feedback/notify admin and get a backup of the upload.\ Or we could let the AV solution simply do the extraction and delete process (as for zip files).
Many institutions require any software they include to scan for viruses on uploaded files. ClamAV is an Open Source anti-virus that could be used for this. This is a composer-enabled library that allows us to use a ClamAV daemon or service for that: https://packagist.org/packages/xenolope/quahog
This scan should be implemented for any upload process (logo, stylesheets, SCORM, documents, dropbox, attachments to messages, etc).