Antivirus Application

Last modified by Administrator on 2019/11/13 00:00

Antivirus Application

Protects attachments uploaded to XWiki pages by scanning them for viruses and malware infections.

antivirus-administration.png
CategoryApplication
Active Installs9
Rating
1 Votes
LicenseGNU Lesser General Public License 2.1
SourcesIssues

The Antivirus Application provides protection for the attachments that are uploaded to XWiki pages by scanning them for viruses and malware infections in 2 phases:

  • directly at upload time, canceling the upload operation in case an infected file is detected, thus not allowing the infected file to reach your wiki (and potentially infect any of your users that might download it)
  • periodically, once per week (configurable), by scanning all attachments on your wiki (including subwikis), in order to cover the case where a periodically updated virus database would now be able to detect a threat that was previously unknown

In order to scan each file, an antivirus engine is required that is able to perform the various checks and verifications, using different algorithms and an extensive virus database.

ClamAV is the leading open source antivirus solution. The Antivirus Application integrates it and makes it available as its default antivirus engine, but other antivirus engines (i.e. from other well known providers) can easily be implemented and configured to be used by the Antivirus Application.

Configuration

Once installed, the Antivirus section will become available, together with configuration options for configuring the connection to the ClamAV antivirus server (default option).

antivirus-administration.png

Upload Scanning

After it's configured, the antivirus applications starts working to prevent users from attaching infected files to your wiki's pages.

antivirus-upload.png

Periodical Scanning

Whenever an infected attachment is detected during the periodical scan, it is immediately deleted, in order to neutralize the threat. You might ask why it doesn't disinfect the file. ClamAV's FAQ explains the reason for not attempting this. The short answer is that most of the time, infected files are compromised beyond recovery and whatever is left after disinfection is either corrupted or dangerous.

At the end of each periodic scan, a report email is generated and sent to all main wiki admins. The report contains the following information:

  • Infected attachments that were detected and automatically deleted
  • Infected attachments that failed to be deleted (i.e. might still be a threat), if any
  • Errors that occurred during the scan of some attachments

antivirus-job-email-report-infections.png

To configure how often the periodic scan is performed (default is once per week), edit the "Antivirus Job"'s "cron expression" from the Scheduler Application's jobs index.

Incidents Log

Each incident (detected during upload) or during a Scheduled Scan, is recorded in the Antivirus Log which is displayed on the same Administration section.

antivirus-administration-incidentsLog.png

Each incident can be inspected by an admin

antivirus-incidentsLog-incident.png

Each incident can be deleted individually or all incidents can be deleted at once, using the actions available in the incidents livetable.

Installation Steps

This paid extensions requires XWiki 8.4 or above. In order to install the extension, follow the next steps inside your XWiki instance (on cloud or on premise).

Navigate to the Extension Manager

In the Applications Panel click on "More Applications..." and then "Install new applications...". Alternatively navigate directly to the Administration and select the "Extensions" section.

step1.png

Install the Extension

Search for the extension you wish to install and use the Install button to install it.

step2.png

Get a License

Navigate to the "Licenses" section of the Administration, fill your details, look for the extension you just installed in the live table and click the buttons to get a trial license or to buy a license.

step3.png

Install the License

If you have selected a trial license then you're good and there's nothing else to do. Your trial license is automatically installed.

However if you've selected to buy a license you'll be redirected to a page to perform the payment. At the end you need to come back to the "Licenses" administration section and click on the "Check for Updates" button. This will download and apply the license you bought.

Use the Extension

Start using the Extension! Refer to the extension's documentation to know how to use it.

Installing the ClamAV Server

If you are using a different Antivirus engine, you can skip this section, but you still have to make sure the server corresponding to the engine you use is properly configured before trying to use it

Going further, you will need to install the ClamAV server to accept network connections from XWiki's integration. There are many guides that you can refer to for installation, depending on your operating system. Examples:

The main process is the following:

  • Install the clamav daemon (clamd)
    • Configure /etc/clamd.d/scan.conf, by making the following changes (if not already done by the installation scripts)
      • Comment out the Example line to #Example
      • Uncomment the following line: TCPSocket 3310 (use whatever port you like or leave the default)
      • Uncomment the following line: TCPAddr 127.0.0.1 (127.0.0.1 if installed on the same machine as the XWiki instance or the server's network IP address, if accepting connections from that network)
    • Make sure the clamd service is enabled (to be loaded at boot)
    • Note: Running the clamd server will increase RAM usage by 300MB, due to the AV database that is loaded in memory and ready to be used when a request comes in.
  • Install the freshclam update service, update the virus database and enable the freshclam service to keep the database up to date (by default, checks for update every 2 hours).
    • Configure /etc/freshclam.conf
      • Comment out the Example line to #Example
      • Optionally, use a different update schedule by uncommenting the #Checks 24 property and setting the preferred value (e.g. 4, which should be enough)

Making Sure You Receive Report Emails

In order to make sure the periodic scan infection report is properly sent, check the following steps:

  • that your wiki is capable of sending emails by having the main wiki's "Administration > Mail Sending" settings in working order
  • that both your user and others that wish to receive the report:
    • are part of the main wiki's XWiki.XWikiAdminGroup group
    • have filled in a valid email address in their user profile

Testing Your Installation

  • Download the EICAR "Standard Anti-Virus Test File" (whichever format you prefer) or use this direct link of the text format, for convenience. It is not a real virus, but only a well known sequence of codes that is an industry standard and used to obtain a basic "virus detected" response from an antivirus engine, for testing or demo purposes and in a safe way. Fore more information, read more about it on the European Institute for Computer Anti-Virus Research's website.
  • Try to upload the file to an XWiki page. It should fail with a generic error message like the following:

    antivirus-upload.png

    • The server logs should show more details along the following lines:
      WARN  ttachmentUploadedEventListener - Attachment [Attachment xwiki:Main.WebHome@eicar.com-testVirus.txt] found infected with [[Eicar-Test-Signature]] during event [org.xwiki.bridge.event.DocumentUpdatingEvent] by user [xwiki:XWiki.Admin]
      WARN  c.x.x.w.UploadAction           - Saving uploaded file failed
      com.xpn.xwiki.XWikiException: Error number 3201 in 3: An Event Listener has cancelled the document save for [xwiki:Main.WebHome]. Reason: [Virus or malware infections found for attachments [{Attachment xwiki:Main.WebHome@eicar.com-testVirus.txt=[Eicar-Test-Signature]}] uploaded by user [xwiki:XWiki.Admin]]
              at com.xpn.xwiki.XWiki.saveDocument(XWiki.java:1395) ~[xwiki-platform-legacy-oldcore-6.4.8.jar:na]
              ...
  • Now go to the main wiki's "Administration >> Antivirus" section and disable Antivirus scanning (i.e. set "Enabled" to "No")
  • Upload again the test virus file to a wiki page. This time it will work, because antivirus scanning is disabled and the (fake/test) virus goes undetected.
  • Go back to the main wiki's "Administration >> Antivirus" section and re-enable Antivirus scanning (i.e. set "Enabled" to "Yes")
  • Trigger a periodic scan by going to the main wiki's Scheduler index and triggering the "Antivirus job"
    • Observe the server logs where it should say that it deleted the previously uploaded fake virus file from both places:
      WARN  c.x.a.i.AntivirusJob           - Deleted infected attachments from document [xwiki:Main.WebHome]: [{eicar.com-testVirus.txt=[Eicar-Test-Signature]}] 
    • Check the Attachments tab of your wiki page to confirm the test virus file was deleted
    • Check your email for a report about the deleted infected attachment

      antivirus-job-email-report-infections.png

Options

The price is per year and varies depending on the support level and the number of users.

Support / Users 10 25 50 100 250 500 1000 2500 5000 10000 20000
Silver

Benefits

What do you get when you purchase an XWiki extension?

1 year license

By purchasing an XWiki extension license, you'll benefit from it during one year.

Free updates

You benefit from all the extension updates during one year. You are always up to date.

Support included

If you are facing an issue, you can reach the XWiki support. Our team is always available to help.

How to Buy

To buy, install this extension from inside your XWiki instance and follow the instructions.

Release notes

v1.2.6

Update the Licensing dependency to version 1.14.4.

v1.2.5

Bugs fixed:
#17 The license is not found anymore after a server restart.

v1.2.3

Bugs fixed:
#15 Main wiki configuration changes are ignored in subwikis.

Improvements:
#16 Add start and end date in the scheduled scan report.

v1.2

Improvements:
#12 Option to always send scheduled scan reports, even when no infections are detected.
#13 Include attachments that were failed to be scanned in the scheduled scan report.

v1.1

Bugs fixed:
#3 Multiple Scheduled Scan detections fail to send report email.

New features:
#9 Incidents log.

v1.0

Improvements:
#3 Make it a paid app that is installable with EM (without patches).

v0.2

Improvements:
#1 Translate the application.
#2 Use 'xform half' on the administration form.

Extension details

This information is only displayed to Administrators. Your users can't see this tab.

License

  • GNU Lesser General Public License 2.1

Sources

Issues

Type

  • xar

Developed by

Compatibility

  • Requires XWiki 8.4 or above.
Installable with the Extension Manager

Dependencies

  • com.xwiki.antivirus:application-antivirus-clamav-api 1.2.6
  • com.xwiki.antivirus:application-antivirus-ui 1.2.6
  • org.xwiki.platform:xwiki-platform-uiextension-api 9.2
  • org.xwiki.platform:xwiki-platform-localization-script 9.2
  • org.xwiki.platform:xwiki-platform-csrf 9.2
  • com.xwiki.licensing:application-licensing-licensor-api 1.14.4
Tags:
Created by Alex Cotiugă on 2018/10/16 17:23
XWiki SAS Copyright © 2019