Background

We've used ClamAV in Linux for the virus scanner in this example (Reference: Additional steps for anti-virus scanning)

There is an infected file (EICAR.txt) which we've created and uploaded to Jira/Confluence. However this file is not flagged as an infected file.

Here is how we had configured the Virus scanning scanner path and additional options (Compatible Antivirus Command Line Scanners)

Jira
Confluence

Pre-requisite

Please turn on the DEBUG mode for the following package

com.akelesconsulting.confluence.plugins.scheduler.job.VirusScanningJobRunner,

Upload the infected file into Jira/Confluence

Check if there are any errors added into atlassian-jira.log/atlassian-confluence.log. e.g.

2018-12-28 12:18:00,908 DEBUG [Thread-56] [confluence.plugins.utilities.StreamGobbler] run ERROR>ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied
2018-12-28 12:18:00,908 DEBUG [Thread-55] [confluence.plugins.utilities.StreamGobbler] run OUTPUT>
2018-12-28 12:18:00,908 DEBUG [Thread-55] [confluence.plugins.utilities.StreamGobbler] run OUTPUT>----------- SCAN SUMMARY -----------
2018-12-28 12:18:00,908 DEBUG [Thread-55] [confluence.plugins.utilities.StreamGobbler] run OUTPUT>Infected files: 0
2018-12-28 12:18:00,908 DEBUG [Thread-55] [confluence.plugins.utilities.StreamGobbler] run OUTPUT>Total errors: 1
2018-12-28 12:18:00,908 DEBUG [Thread-55] [confluence.plugins.utilities.StreamGobbler] run OUTPUT>Time: 0.000 sec (0 m 0 s)
2018-12-28 12:18:00,909 DEBUG [AtlassianEvent::CustomizableThreadFactory-1] [confluence.plugins.listener.AsyncEventListenerImpl] scanAttachment download.jpg [9830401] - Failed virus scan
2018-12-28 12:18:00,911 DEBUG [AtlassianEvent::CustomizableThreadFactory-1] [confluence.plugins.listener.AsyncEventListenerImpl] lambda$addComment$1 download.jpg [9830401] - Adding comment to page: Welcome to Confluence
2018-12-28 12:18:03,221 ERROR [AtlassianEvent::CustomizableThreadFactory-1] [atlassian.confluence.event.ConfluenceEventDispatcher] lambda$getRunnable$1 There was an exception thrown trying to dispatch event [com.atlassian.confluence.plugins.mentions.api.ConfluenceMentionEvent[source=com.atlassian.confluence.plugins.mentions.NotificationServiceImpl@448e5597]] from the invoker [com.atlassian.confluence.event.ConfluenceListenerHandlersConfiguration$TimingListenerHandler$1$1@30de2795]
 -- url: /confluence/plugins/drag-and-drop/upload.action | traceId: 519bdf55d23be4a5 | userName: admin | referer: http://192.168.9.232:8090/confluence/pages/viewpageattachments.action?pageId=65541 | action: upload
java.lang.RuntimeException: java.lang.NullPointerException

Troubleshoot

Here are the attributes used in the examples below

User who starts up Confluence Service	confluenceuser
Infected File Location	/opt/EICAR.txt

Possible issues

If the troubleshooting guides listed here does not resolve your issue, send us a support ticket with your logs for us to assist you further

Does the user who starts the jira/confluence service have permission to execute the scan?

Run the following command line in the the terminal

[confluenceuser@011-007-c-206 root]$ clamscan -v /opt/EICAR.txt

This is the expected result

Scanning /opt/EICAR.txt
/opt/EICAR.txt: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6779665
Engine version: 0.100.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 51.530 sec (0 m 51 s)

Solution: To add user permission to clamscan

Run the following command line in the terminal

usermod -a -G <User> clamscan

e.g.

usermod -a -G confluenceuser clamscan

Does the user who starts the jira/confluence service have permission to write into the scan log?

Is there a "Can't open ../X_attachment_scan.log" error thrown in your Atlassian log?

ERROR: Can't open /var/log/confluence_attachment_scan.log in append mode (check permissions!).

Solution: To give write permission to user

Run the following command line in the terminal

chown -R <user>:<user> <file directory>

e.g.

chown -R confluenceuser:confluenceuser /var/log/