18

I am having a web application where user will upload file and web server will save it to S3 and then later on process it without copying it to local server.
Now my question is how can i perform virus scan on files stored in S3 before processing them.
Requirement is to use well established antivirus applications.

Update:10/April/2018
Till date there is no professional antivirus system that can do scan on s3 bucket directly. We ended up installing antivirus on our windows/linux box and creating a flow where we copy files first to a temporary folder and then copying back to S3 once scan is done.

Anshul Nigam
  • 1,608
  • 1
  • 12
  • 26
  • 2
    I don't understand the downvote on this question. This is legitimate case. – Tom Hert Mar 22 '18 at 18:15
  • Which AV did you choose to use on your additional box? We are doing the same thing, but we're looking for an AV solution that avoids an outbound connection to the internet. – Joe Apr 18 '18 at 13:07
  • 2
    @Joe there are many professional AV available in market you can choose any one, disclosing one particular AV company name would not to fair here. – Anshul Nigam Apr 23 '18 at 04:59
  • 1
    @AnshulNigam Symantec is offering direct scan on S3 buckets. https://securitycloud.symantec.com/cc/#/landing?inid=us_symc_cloud-workload-protection_pdp_to_leadgen_trialware_PID-101_cloud-workload-protection – Sai Jun 26 '18 at 12:13

4 Answers4

5

I would try to establish a workflow with Lambdas. Upon S3 upload, automatically trigger a Lambda which copies the file to a /tmp/ folder somewhere (assuming it fits), virus scan it, and then if it passes the virus scan, re-upload into a separate bucket/folder in S3.

Henry
  • 1,646
  • 12
  • 28
  • if it passes the scan then there is no need to re-upload . if it fails to pass then we will delete it from s3. – tom May 18 '17 at 14:44
  • 1
    Yes, but you might accidentally download a file that has NOT passed a scan. If you're having to do a virus scan, you probably want to be *really* safe that there's no risk in the file. Which means the easiest thnig to do is move it frmo one folder to a `clean/` folder or similar. – Henry May 18 '17 at 14:53
  • I like the idea, but is there is any well known antivirus which can directly scan on s3 bucket. – Anshul Nigam May 19 '17 at 05:35
3

You could use the Virus Total service. Or you could use an open-source solution

Shimon Tolts
  • 1,602
  • 14
  • 15
  • Wroth noting that the detection rate of Windows viruses with ClamAV seems to be around 15%, so it's a horrible option. – FINDarkside Oct 07 '18 at 16:22
  • @FINDarkside Where does that 15% number come from? Is ClamAV really not a suitable solution? – Rob Oct 09 '18 at 00:41
  • @Rob https://www.av-test.org/en/news/linux-16-security-packages-against-windows-and-linux-malware-put-to-the-test/ – FINDarkside Oct 10 '18 at 18:12
1

There are quite a few ways to do this but they would all involve copying the content out of S3 temporarily so it can be analyzed - ideally this would happen in-region to save you some transfer costs.

Here's an example of doing exactly that using a couple lambda functions (packaged for 1 click deployment): https://github.com/uvasoftware/scanii-lambda

It uses our service (https://scanii.com) for analysis but you can trivially replace that part with whatever service you would like including commercial av ones you already have a relationship with. This code is Apache v2 open source so you can modify it as needed.

Hope this helps

Rafael Ferreira
  • 1,260
  • 8
  • 11
0

It depends on what model do you need. After some research there are a few models with some options:

  • SaaS product:
    • A SaaS setting inside or outside your AWS account
    • Example: CrowdStrike Falcon or AWS Marketplace products like https://bucketav.com/
  • AV product:
    • A commercial or OSS product you buy/subscribe to. It requires extra build/maintenance than a SaaS one. Usually running in ECS/EC2 instances (with auto-scaling group if required) and build your pipeline around it to be triggered if your add files to your S3 bucket
    • Example: http://www.binaryalert.io/
Mo Zaatar
  • 925
  • 8
  • 12