Troubleshooting on Virus Scanners

Owned by Hua Soon SIM [Akeles]
Last updated: Mar 23, 2020 by Stella
3 min read

Introduction

There are a number of issues that our users have encountered while setting up virus scanning feature with Attachment Checker. 

This will be useful when you are configuring the additional steps for anti-virus scanning.

Common Issues

The command line virus scanner is not compatible with Attachment Checker

SymptomsAn infected attachment uploaded but not detected by the Attachment Checker
Root cause

Attachment Checker have following requirements on 3rd party command line virus scanners

  1. The scanner should allow scanning of a single file
  2. The file to be scanned should be the last parameter 
  3. The scanner should return the exit code value 0 if there is no threat found. Other values if there is a possible infection
Solution

You can verify that the virus scanner is compatible by trying to scan eicar.txt 

The EICAR test file is a computer file used to test the response of computer antivirus (AV) programs.
Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.

For a normal file
[jirauser@server jirauser]$ clamscan -v /opt/normal.txt
Scanning /opt/normal.txt
 
----------- SCAN SUMMARY -----------
Known viruses: 6779665
Engine version: 0.100.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 51.530 sec (0 m 51 s)

## It will return 0 exit code if the file is safe
[jirauser@server jirauser]$ echo $?
0

The following example using Clamscan illustrate the different behaviour

Please update the codes and clean up this page

For an infected file
[jirauser@server jirauser]$ clamscan -v /opt/EICAR.txt
Scanning /opt/EICAR.txt
/opt/EICAR.txt: Eicar-Signature FOUND
 
----------- SCAN SUMMARY -----------
Known viruses: 6779665
Engine version: 0.100.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 51.530 sec (0 m 51 s)

## It will return a non 0 exit code when an infected file is being scanned
[jirauser@server jirauser]$ echo $?
1

We do maintain a list of Compatible Antivirus Command Line Scanners. If you have any virus scanners that is not in the list, we will be glad to provide assistance

The user account running Jira/Confluence does not have permission to execute the scan

Symptoms

Got the error message 

[jirauser@server jirauser]$ clamscan /opt/onefile.txt
/opt/onefile.txt: Access denied. ERROR
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Root Cause

This is because jirauser does not have permission to execute clamscan.

Solution

To grant permission to jirauser

usermod -a -G jirauser clamscan


The user account running Jira/Confluence does not have permission to read/write to

Symptoms

  • The following error in logged in the log files (atlassian-jira.log)

    ERROR: Can't open /var/log/jira_attachment_scan.log in append mode (check permissions!).
Root cause

  • This is because user has configured the additional options to write the scan results to another directory

    --log=/var/log/jira_attachment_scan.log

  • The directory is not inside the Jira home directory and the user account does not have write permissions

Solution

  • To grant read/write permission to the user (e.g. jirauser) for that file (e.g. /var/log/jira_attachment_scan.log)

    ## create an empty file if it does not exist
touch /var/log/jira_attachment_scan.log

## change the owner to the user account executing the scan
chown jirauser:jirauser /var/log/jira_attachment_scan.log

## grant the owner Read + Write permission to the file
chmod u+rw /var/log/jira_attachment_scan.log


Other Useful Tips

  1. Try to enable debug mode with the following package before uploading an attachment. Then you can check if there is any error in the atlassian-jira.log

    com.akelesconsulting.jira.plugins

  2.  Try to switch to the same user running the Jira server and then execute the same command to see if there is any errors

    su - jirauser

## example to scan /opt/jira-home/data/attachments/PROJECT/10000 using clamscan
clamscan /opt/jira-home/data/attachments/PROJECT/10000

Related information