[jboss-dev-forums] [Design of JBoss Collaboration Server] - JBCS & ClamAV Antivirus

[sappenin]

All,

I've written some code that integrates ClamAV with JBCS to provide server-side antivirus protection, and thought I'd share it with the community.  I'm putting together a page detailing how to install everything -- I'll post that shortly as well as the code I've written.

BACKGROUND
There are 3 components to JBCS Antivirus.  

First is ClamAV, a server-based, opensource antivirus project, which can be downloaded from their site, and will need to be installed.

Second and third are 2 JBCS MBeans (and a small tidbit of config XML to integrate this into JBCS).  The first is the ClamAV service MBean, which provides functionality that bridges JBCS/Java to the ClamAV daemon (running either locally or on a remote machine).

The second MBean is a JBCS Maillistener that can be plugged into any of the JBCS mailListenerChains.  

Unfortunately, ClamAV is not Java, and it provides only 2 facilities to scan for viruses:  1.) Scan a file; 2.) Scan a binary STREAM over a socket.

PRESENT CONSIDERATIONS
My implementation uses the latter via a network stream.  In my testing I have gotten everything working, although I am forced to scan a whole message at a time.  So, for example, if a given message has 3 message bodies, but only one is infected, the code will basically just report back that a virus was found (it doesn't specify in which message body).

There is another set of functionality that I have implemented which allows ClamAV to check a single message body at a time, such that in the example above, a message with 3 bodies, and only 1 infected, would report back which MessageBody ids are infected.  That way, the ClamAVMailListener code could lose the infected body but retain the UN-infected bodies.  Unfortunately (again), in my testing of this, ClamAV does not detect a sample virus in this scenario.  I beleive this because ClamAV is designed to be able to scan an entire message, not individual message components.  Thus, if a Base64 encoded "attachment" is sent to clamAV without the rest of the contextual information found in a MIME message, ClamAV does not know to "inspect" the Base64 data, and thus a virus signature is not detected.

Once JBCS has better MIME message support (Andy alluded to forking the MIME4j code) I should be able to get a MimeBody part, decode the base64 attachment (if it exists), and send that to ClamAV.  Thus, in version 2 of this plugin, we should be able to deal with infected message bodies individually.


MOVING FORWARD
For the moment, I would appreciate some information from the community as to how this should function:

1.) If a message has a single infection, but 1 or more uninfected message bodies, what should happen to the message?

2.) If a message has a single attachment that is infected, what should happen to the message?  Should it bounce?  Should it be "cleansed" (i.e., reset the subject, remove the infected body, and add a note in the message body saying that it was cleaned), or some other functionality?

Thanks!

David

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971590#3971590

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3971590