Hi, I'm looking to put the best security on my web site, I'm looking to scan for viruses some file that the user can upload on the server. I have asked the technical support, they says I can't call the virus scan that they have on the server. So is there somebody who know how to do this on the discountasp.net server Thanks
There isn't any way to do that. My suggestion would be if you don't trust your users to upload clean files, don't allow file uploads.
You're kidding me I hope. It's a website, hackers are there to put your site down. And you are from the staff ??? I know it can be done if a virus scan is installed on the server, I understand that we don't have access to that because it's a shared server. But you could at least say me something like that. If I was saying I have trouble with sql injection would you be saying to me don't do sql. I'm really disappointed from this answer. Well if somebody else can give me more information Thanks in advance.
Hi, I used to do a "fudged" method for this on DASP servers. 1) I'd let anyone upload files that matched the file types and max size allowed. 2) I'd use the free File Explorer to grab the files and scan them locally. 3) If they passed I'd simply move the original files on the server to a public location. Not very painful and it was safe for all. The File Manager I speak of is: http://www.dasptv.com/avc-view.aspx?videoid=20&categoryid=1 All the best, Mark P.S. I used to run multinode support BBSes for Microsoft with file protocols that could scan live uploads. It's this current "stateless" internet that's killing us. </rant>
Thanks a lot for the answer, So if I understand well, you let the file go to the server and then you upload the file and scan it from your machine ? Some virus spread fast. I'm not sure it's so good for the server. If it is a lot in demand and simpler it would be simpler if discount asp add the virus scan to our account. Thanks If somebody have other solution ...
I think this is the type of framework you're talking about: http://www.opswat.com/products/metascan/metascan
Yes! Sometimes I say dumb things though. If you look at it as part of my charm it doesn't seem quite as annoying. My apologies. I don't think the suggestion was so far out of line though. Allowing a random site visitor to upload any kind of file they would like is just asking for trouble. I guess it depends on what these files are and what you're going to do with them. I think for this kind of workaround that wisemx suggested is the only reliable solution. Well that's pretty cool. It looks like it has to be installed at the server level though, so it wouldn't be an option here.
Yip I agree OPSWAT Metascan is a server based security framework. The Metascan core SDK product looks good for VPS or dedicated hosting platforms where you might have your own AV product installed and need an API for application development.
Yeah seems nice but I cant use the OPSWAT Metascan because it's needed to be install on the server like you have said. My application will allow logged user ton upload picture, I know that I can let them only upload some file type. But virus spread sometimes in strange files. So if somebody have another good solution, maybe a dll or something that I can add to my solution to do a simple scan OR a webservice that I can call and send the file to be scanned their. If somebody got something thanks a lot ! Another question, If one of my user import a virus, would the scan that's installed on the discountasp server would remove it ?
Ok, here's an off-the-wall suggestion: Develop your own webservice and host it locally. This webservice will support a method to receive a file for virus checking as serialized binary data. Sign up for a free dynamic dns service if you have a local dynamic IP e.g. http://www.no-ip.com/ Allow your user to upload a file to your website hosted on DASP When a file is uploaded to your hosted web app, pass it onto the locally hosted webservice for virus checking. When the file is received at the webservice it can be scanned with any AV product because the webservice will be able to call the AV process any way it needs to e.g. command line startup if necessary. Yes it is convoluted but could work if executed correctly. Warning: if the scenario you describe really is an issue for your application, there is a risk if you get this suggested implementation wrong that you could contract a local infection!
No. But it wouldn't be able to execute on the server. It would, however, still be downloadable by your visitors. We do have restrictions and limitations and our Tipping Point intrusion detection system (which also blocks bad requests, files, etc.), but most of those things work on the incoming traffic, not outgoing. A malicious image file would be difficult to stop, but CrystalCMS has a pretty good idea there. However you go about it, you're going to have to pull down the files and scan them locally.
