How to configure Virus Scanning of uploaded attachments

Background


The Attachment Checker allows all attachments to be checked with an external anti-virus scanner when they are uploaded.

This addresses the feature request raised in https://jira.atlassian.com/browse/JRA-8626 (Virus Scan Attachment)

Only the Confluence administrator can access this page

When an attachment is added, a request is sent to scan the uploaded file. The request is handled asynchronously so that users need not wait for the scanning to completed especially if the file is large. 

When a file is suspected to be infected, depending on your configurations, as of v.1.4.0 the following follow-ups could happen when the Delete Virus File option is enabled or disabled

FeatureEnabledDisabled (Default setting)
Handling of the
infected file
  • The infected version is deleted and replaced with a placeholder
  • The placeholder is commented so that users can identify the version easily

User may delete the placeholder version of the file.

Rationale on why we use a placeholder

While we can delete the infected attachment, we are unable to determine where the attachment is being used. It could be a macro or rendered image on another page in another space. Thus, we decided to place a placeholder so that people can identify it easily. When the newer uninfected version is being uploaded, it will be able to render the content without requiring the users to update the Confluence page content.

The infected file would not be removed automatically.


Notification
by 
Comment

By default, Anonymous user would create a comment. Thus you would not need to create an account for the comment to be create.

A comment to inform user that an infected file has been detected and replaced with a placeholder

A comment to inform the user to delete the infected file

Page Content

When the user tries to open the infected file, it would be replaced with placeholder looking like this,





How to set up the virus scanner


Please refer to list of scanner paths needed for configuration

The paths would call a script, which calls the scanner's exe file.

You could create a command file (e.g. scanner.cmd) containing this script with options e.g.

@echo off
echo executing scan for %1
c:\progra~1\window~1\MpCmdRun.exe -Scan -ScanType -File "%1"
echo "returning errorLevel = " %ERRORLEVEL%
EXIT /B %ERRORLEVEL%

As the script above contains some shorthand directory, you can retrieve shorthand commands through: dir /x

If the error level returned is not 0, the attachment will be processed with the configurations set in Delete Virus File option.


Related Information