Front-End Antivirus Scan File Uploads

Asked 9/4, 2019 at 11:5 Answered 10/4, 2019 at 14:56

I want to scan files for virus and malware before they are uploaded to the server. For example, once a user uploads a file, there should be a scanner to detect if there is a virus or malware and reject it immediately. Is there anyway to scan a file before its uploaded to the sever? like using Javascript or any software developer tools.

Thanks

Twain answered 9/4, 2019 at 11:5 Comment(1)

once a user uploads a file check file extinctions and valid those. (png, jpg, docx, xlx ...) – Fascicule 9/4, 2019 at 11:21

Well, this can be done. For example, you can just arbitrate the content using javascript in the browser and then choose to only submit the form to your server if the content is safe.

Here's a walkthrough with sample code and everything of doing just that: https://docs.scanii.com/articles/client-side-content-arbitration.html

This uses scanii.com for the content analysis but you can follow the exact same process and just replace scanii.com with an EC2 instance proxying whatever anti virus you already use.

One very important piece of this 3-legged arbitration system is that you must verify the authenticity of the arbitration on your server in order to prevent someone just messing with the javascript on the client side and bypassing the whole thing. You can see that logic in the sample code here: https://github.com/uvasoftware/scanii-token-sample/blob/master/app.js#L56

In essence, when the form/file is finally posted, you need to call out the service the processed (in the example above it is scanii.com) to ensure that the file was indeed analyzed and deemed safe.

This sounds more complicated than it truly is, we have lots of customers doing this already and it's wonderful once setup since you offload most of the work to the browser and your server remains bad content free.

Bloomington answered 10/4, 2019 at 14:56 Comment(2)

that's an interesting option, but is there also some trusted signing on the file, so the server can assure not only this file was scanned, but also that it didn't tempered after that? as mentioned by hemp it's easy to do so, but didn't see it in your code simple.. – Collimate 21/1, 2021 at 8:22

Yup a sha1 checksum is provided with the payload response so you can ensure the bits processed on the service match the original bits. Great question tho and something normally overlooked by folks - in transit tempering. – Bloomington 22/1, 2021 at 16:17

Is there anyway to scan a file before its uploaded to the sever? - Answer is NO, You have no control over end user's operating system

Adding to the @Mjh, You can scan the file at the server, after it was uploaded

Before uploading you can run some validations,

Allow only file extensions that your application requires
if file extensions are valid then check the TYPE of the file for.e.g. application/text, application/csv etc.
Upload should be done over the secure channel
You can get a antivirus/malware detector in your hosting services
Proper permissions to the folder where you move new files

Vitelline answered 9/4, 2019 at 11:22 Comment(0)

JavaScript runs in someone's browser. What does that mean?

It means:

the person has full control of what their browser is executing
the person can read the text and alter the JS virus scanner

It proves that it can be tampered with and can't be trusted.

When you upload a file, you do it via HTTP protocol. It means that JavaScript is done until this point and all the data it's sending to the server is visible to the user and the user can alter it.

Therefore, if a JS upload filter existed, it would be inherently insecure and that's the reason why there's no JS "antivirus scanners".

You can the file at the server, after it was uploaded.

Libau answered 9/4, 2019 at 11:9 Comment(3)

There are many ways to ensure that something has not been tampered with. The key is that the actual virus scanning has to be done by a trusted party. A simple option would be to host a virus scanning service separate from your application. @Rafael Ferreira's answer lays out some examples. Another option would be to require that the client's machine has a specific virus scanner installed which is integrated somehow with your application. That is only realistic in a controlled enterprise/intranet type of environment. – Elemental 16/10, 2019 at 21:34

@Elemental and what made you write such an elaborate answer where you "explain" how one can achieve the goal? What gave away that I'm unaware of it and that made you write the comment? I'm just genuinely intrigued. You read the answer and you thought "Hey, this guy who gives away insight related to HTTP and JavaScript obviously does not know that there exist services he could use, I will go and help him out because I feel he's too green"? If you read the question carefully and direct your efforts toward OP, then I'm sure he/she'd appreciate your insight and methods. Or you could write an answer – Libau 4/11, 2020 at 17:45

The OP asked, "Is there anyway to scan a file before its uploaded to the sever?" Your answer essentially said "no". I was simply clarifying that it is possible, even though what you said about JS in a browser not being tamper-proof is correct. I didn't add my own answer because it would have basically mirrored Rafael's. – Elemental 12/11, 2020 at 13:55

Recommended topics

Hot tags