Most anti-virus software causes a dramatic increase in disk IO and CPU Usage and Atlassian has recommended to limit virus scanning to certain directories
However, some organisations still dictate that virus scanner must be enabled.
The Hidden Risk
Apart from the performance overheads, some virus scanners delete the infected attachments silently in the backend after the file has been successfully uploaded.
The users will only realise after clicking on the link to download the attachments, which turns out to be a broken link.
The system admins will spend precious time to trace the issue and try to retrieve the deleted files from the backup archives.
This lack of feedback causes a risk that files with important information are lost forever.
When user tries to download the attachment, they will get the following errors.
The following error will be logged in the log file.
2019-06-04 15:46:10,914 WARN [conversion-thread-0-internal] [atlassian.confluence.pages.DefaultAttachmentManager] getAttachmentData Could not find data for attachment: Attachment: eicar.com.txt v.1 (5180376) angela - java.io.FileNotFoundException: /opt/confluence-home/attachments/ver003/191/58/5308441/117/180/5180367/5180376/1 (Operation not permitted)
How the Attachment Checker helps
On-access Scanner is enabled
- Admin can configure Attachment Checker to inform the app that there is an antivirus configured in the backend to scan for virus whenever files are being uploaded.
- Whenever a file is uploaded, Attachment Checker will check if the file has been uploaded successfully.
- If the file is missing, it will post a comment to the Confluence page to inform the user so that appropriate action can be taken.
On-access Scanner is disabled
- Admin can configure Attachment Checker to execute a command line scan for the file.
- Whenever a file is uploaded, Attachment Checker will execute a scan using the configured path and options only on the file.
- This reduces the amount of CPU load by scanning only once for each uploaded file.
- If the attachment is infected, it will post a comment to the Confluence page to inform the user so that appropriate action can be taken.