No virus detection with desktop-client upload

[Poldi1977]

Steps to reproduce

1. Downloaded eicar.com eicar.com.txt test viruses,
2. Copied to nextcloud home folder and synced immediately with server over nextcloud-client
3. Viruses doesn't get deleted, able to copy files
4. Tried same upload from chrome web browser, upload fails, system warns about virus detection and deletes file.

Expected behaviour

The uploaded file should be rejected.

Actual behaviour

The uploaded file is stored in Nextcloud.

Operating system: Ubuntu 20.04.3 LTS

Web server: Server version: Apache/2.4.41 (Ubuntu) Server built: 2022-01-05T14:49:56

Database: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

PHP version: PHP 7.4.3

Nextcloud version: (see Nextcloud admin page) 23.0.0

[Hudratronium]

To be honest I am not sure if this really is a bug. As much as I like the idea of scanning files uploaded / synched via the desktop client, I guess this will not work / wasn't in scope of the virusdetection app. Problem from my point of view is, that the actual transfer process is handled by the syncronization tool "csync (?)". So you would need to implement a "scan" during the sync-phase(basically pass the synched file to anitvir for check and use is afterwards) or after every successfully synching you would need to call the scan. BUT you have keep in mind, that synching is a different usecase then "uploading". Normally users are working locally with the files. Every "auto-save" would be concidered as a new "upload" and the scan has to be performed. That could have quiet huge impact on the overall performance.

Takeing a look into propriatry solutions I am not aware that kind of this feature is availeable.

Mitigation could be using something like "on-access" scanning from clamAV. However: This will not block infected files to be transfered to the nextcloud hub and also will have huge impact on the needed performance.

[meonkeys]

Probably the same issue with mobile as well, yes?

[Hudratronium]

@meonkeys Guess so as it is "synching".

[joshtrichards]

I think these files are likely still caught via the background job that looks for unscanned files to scan that way. I believe it runs every 15 minutes. That is, if you have it enabled.

[Hudratronium]

It should be enabled by default if i understand the docs correctly.

How ever: In a kind of 'worst-case szenario' the infected file is availeable for 15 (time depending on settings) minutes on the system and can spread, be shared, part of running backups .... As written above this seems to be one of the "risks" to take when offering a synch. What would be even more interesting is the usecase of "webdav" - as this is a interface which can't be 'easily' deactivated....

[meonkeys]

I think these files are likely still caught via the background job that looks for unscanned files to scan that way. I believe it runs every 15 minutes. That is, if you have it enabled.

True, just seems more consistent/ideal to always scan everything upon upload, regardless of how it was uploaded. Probably more of an issue for business/enterprise since that would likely be a compliance requirement / etc.

Also, mine is configured to just log on detection, so the upload vs. background-detected behavior is different (infected uploads are immediately blocked and deleted).

[kesselb]

Still relevant?

I'm unable to upload an eicar test file with the desktop client, files_antivirus and clamav via tcp.

[meonkeys]

I don't get the antivirus warning when I use the desktop client or webdav (via GNOME Nautilus/Files app) to upload an eicar test file. I do get a warning when I try to upload it directly via the web UI.

I'm using: nc server 29.0.1 (in a container), antivirus for files 5.5.4, clamav 1.0.x, desktop client 3.13.0 on a 64-bit Ubuntu 22.04 LTS desktop.

[kesselb]

My screenshot is from the desktop client main dialog. I didn't get a warning either, but the file was not uploaded. Was the eicar test file uploaded?

[meonkeys]

Was the eicar test file uploaded?

Yes

[kesselb]

Desktop, Mobile and Web Client all use webdav to upload files and files_antivirus does add a wrapper around the filesystem to implement the check therefore it should behave the same.

Did you spot something in your logs when you upload such a file?

[meonkeys]

Did you spot something in your logs when you upload such a file?

Ha, I was just about to ask you the same thing... if the reason for the "Forbidden" (HTTP 403, I guess?) you shared in that screenshot is actually a virus detection event, you should see that in your logs, right? Do you? Will you also share your versions/setup so we can try to spot any meaningful differences there?

Anyway, in my case, when I drop an eicar test file in a sync'd folder and let the desktop client upload it, I see what I normally see server-side when a file is uploaded: one info-level message in audit.log: File updated: "/tmp/eicar-test.txt" and one more: File written to: "/tmp/eicar-test-12754.txt". It'll be detected later in a background virus scan and I'll get a warning notification then (per earlier comments from others).

[st3iny]

I did some testing and it seems to ignore files uploaded via the bulk endpoint. The storage wrapper is not triggered when a file is uploaded via this endpoint.