Front-End Antivirus Scan File Uploads
Question
I want to scan files for virus and malware before they are uploaded to the server. For example, once a user uploads a file, there should be a scanner to detect if there is a virus or malware and reject it immediately. Is there anyway to scan a file before its uploaded to the sever? like using Javascript or any software developer tools.
Thanks
3 answers
solution1
1 2019-04-09 11:22:33
Is there anyway to scan a file before its uploaded to the sever? - Answer is NO, You have no control over end user's operating system
Adding to the @Mjh, You can scan the file at the server, after it was uploaded
Before uploading you can run some validations,
- Allow only file extensions that your application requires
- if file extensions are valid then check the TYPE of the file for.eg application/text, application/csv etc.
- Upload should be done over the secure channel
- You can get a antivirus/malware detector in your hosting services
- Proper permissions to the folder where you move new files
solution2
0 2019-04-09 11:09:55
JavaScript runs in someone's browser. What does that mean?
It means:
- the person has full control of what their browser is executing
- the person can read the text and alter the JS virus scanner
It proves that it can be tampered with and can't be trusted.
When you upload a file, you do it via HTTP protocol. It means that JavaScript is done until this point and all the data it's sending to the server is visible to the user and the user can alter it.
Therefore, if a JS upload filter existed, it would be inherently insecure and that's the reason why there's no JS "antivirus scanners".
You can the file at the server, after it was uploaded.
solution3
0 2019-04-10 14:56:19
Well, this can be done. For example, you can just arbitrate the content using javascript in the browser and then choose to only submit the form to your server if the content is safe.
Here's a walkthrough with sample code and everything of doing just that: https://docs.scanii.com/articles/client-side-content-arbitration.html
This uses scanii.com for the content analysis but you can follow the exact same process and just replace scanii.com with an EC2 instance proxying whatever anti virus you already use.
One very important piece of this 3-legged arbitration system is that you must verify the authenticity of the arbitration on your server in order to prevent someone just messing with the javascript on the client side and bypassing the whole thing. You can see that logic in the sample code here: https://github.com/uvasoftware/scanii-token-sample/blob/master/app.js#L56
In essence, when the form/file is finally posted, you need to call out the service the processed (in the example above it is scanii.com) to ensure that the file was indeed analyzed and deemed safe.
This sounds more complicated than it truly is, we have lots of customers doing this already and it's wonderful once setup since you offload most of the work to the browser and your server remains bad content free.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.