[英]Process on ASP.Net server not running correctly over IIS
I am trying to run an antivirus scan on an uploaded file in an ASP.Net web app. 我试图在ASP.Net Web应用程序中的上传文件上运行防病毒扫描。 We are using Sophos so have access to their command line API sav32cli
. 我们正在使用Sophos,因此可以访问他们的命令行API sav32cli
。 In the code I use: 在我使用的代码中:
Process proc = new Process();
proc.StartInfo.FileName = @"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe";
proc.StartInfo.Arguments = @"-remove -nc " + SavedFile;
proc.StartInfo.Verb = "runas";
proc.Start();
proc.WaitForExit();
int exitCode = proc.ExitCode;
When stepping through the code, when attached to the w3wp
process on dev server, the code just jumps from one line to the next seemingly doing nothing at all. 当单步执行代码时,当连接到开发服务器上的w3wp
进程时,代码只是从一行跳到另一行似乎什么都不做。 When running from code on dev server, it performs as expected scanning file and deleting if it is seen as a virus. 从dev服务器上的代码运行时,它会执行预期的扫描文件并删除它是否被视为病毒。
The server is running IIS 8.0, and the app built in .Net Framework 4. I have changed the machine config to allow the process to run as SYSTEM account, in accordance to these instructions. 服务器正在运行IIS 8.0,以及.Net Framework 4中内置的应用程序。我已根据这些说明更改了机器配置以允许进程作为SYSTEM帐户运行。 https://support.microsoft.com/en-us/kb/317012#%2Fen-us%2Fkb%2F317012 https://support.microsoft.com/en-us/kb/317012#%2Fen-us%2Fkb%2F317012
<processModel userName="SYSTEM" password="AutoGenerate" />
Is there something I'm missing? 有什么我想念的吗? What is the best practice for this kind of implementation? 这种实施的最佳实践是什么?
EDIT : When called, the Process
returns an ExitCode
of 2 (Error stopped execution), rather than the expected 0 (Scan worked, no viruses), or 3 (Scan worked, viruses found). 编辑 :当调用时, Process
返回一个ExitCode
为2(错误停止执行),而不是预期的0(扫描工作,没有病毒),或3(扫描工作,发现病毒)。
EDIT 2 : As per comment below I changed the code to: 编辑2 :根据下面的评论,我将代码更改为:
Process proc = new Process();
proc.StartInfo.FileName = @"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe";
proc.StartInfo.Arguments = @"-remove -nc " + SavedFile;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.UseShellExecute = false;
proc.Start();
StringBuilder output = new StringBuilder();
while (!proc.StandardOutput.EndOfStream)
{
string line = proc.StandardOutput.ReadLine();
output.AppendLine(line);
}
proc.WaitForExit();
int exitCode = proc.ExitCode;
ASPxMemo2.Text = exitCode.ToString() + Environment.NewLine + output.ToString();
output
is always empty when run over IIS, but is populated correctly when running from code. 通过IIS运行时output
始终为空,但从代码运行时正确填充。
EDIT 3 : Instead of looking at StandardOutput
we looked at StandardError
and it revealed this error: 编辑3:与其看着StandardOutput
我们看StandardError
,它揭示了这个错误:
Error initialising detection engine [0xa0040200] (Possible insufficient user Admin rights.) 初始化检测引擎时出错[0xa0040200](可能用户管理员权限不足。)
For the time being we are going to move to another method of virus checking, but would still like to know a possible solution if anyone has it. 暂时我们将采用另一种病毒检查方法,但如果有人拥有它,我们仍然想知道一种可能的解决方案。
You will need to make sure that the application pool that is running your .NET application inside IIS has execute permissions to your file 您需要确保在IIS中运行.NET应用程序的应用程序池对您的文件具有执行权限
"C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\sav32cli.exe" “C:\\ Program Files(x86)\\ Sophos \\ Sophos Anti-Virus \\ sav32cli.exe”
You may also need to add this permission to the folder location where the file to be scanned is uploaded (c:\\temp) for example 您可能还需要将此权限添加到要上载文件的文件夹位置(例如c:\\ temp)
You may also need to have administrator privileges to run the anti virus scan since IIS8 does not run as an administrator. 您可能还需要具有管理员权限才能运行防病毒扫描,因为IIS8不以管理员身份运行。 When you are debugging visual studio uses your current logged in windows user(unless you use runas) so this will explain why it would work when debugging. 在调试时,visual studio使用当前登录的windows用户(除非你使用runas),这样就解释了为什么它在调试时会起作用。
Have you tried running your web process in elevated trust? 您是否尝试过提升信任度来运行Web流程?
Configuring .NET Trust Levels in IIS 7 在IIS 7中配置.NET信任级别
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
</securityPolicy>
</system.web>
Most likely the permissions are not configured correctly on the content being scanned (the uploads
folder) or the worker process user doesn't have the full permissions it needs to use Sophos. 很可能在正在扫描的内容( uploads
文件夹)上没有正确配置权限,或者工作进程用户没有使用Sophos所需的完整权限。 You know the executable itself is accessible by the worker process because you are getting exit codes and error messages that are specific to Sophos. 您知道可执行文件本身可由工作进程访问,因为您将获得特定于Sophos的退出代码和错误消息。
Because your process will delete files that are perceived as threats you need to grant the user running the process modify
or full control
permissions on the folders that store the uploaded files. 由于您的进程将删除被视为威胁的文件,因此您需要授予用户对存储上载文件的文件夹运行进程modify
或full control
权限。
By default you could use the IIS_IUSRS
group for ApplicationPoolIdentity
processes, but you can verify (and modify) the user in IIS Manager > App Pools > Advanced. 默认情况下,您可以将IIS_IUSRS
组用于ApplicationPoolIdentity
进程,但您可以在IIS管理器>应用程序池>高级中验证(和修改)用户。
Here are some ideas: 以下是一些想法:
These are my 4 cents :-) 这些是我的4美分:-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.