Security should always be a top priority when designing and developing applications that interact with the internet. One important security measure is ensuring that files that are being uploaded to your application do not contain viruses or malware that could harm your system or other users. In this article, we’ll explore how to use ClamAV to validate the content of uploaded files, including how to set up and run a ClamAV instance in a Docker container and how to customize it for your needs.
When exposing an endpoint that is being used to upload files, you might want to include some sort of validation/security mechanism to ensure that the file content is safe. Instead of relying solely on file extension validation, there is a way to fully validate the payload using an anti-virus, without having to run it on a virtual machine.
The nClam NuGet Package allows you to access ClamAV’s file-scanning capabilities, with an instance of ClamAV running on an Azure Container Instance using the mkodockx/docker-clamav:alpine image.
This container image hosts an instance of the open-source anti-virus scanner and comes with an automated process to maintain an up-to-date database of known threats.
If you want to run an instance of the Docker container locally, you can use the provided docker-compose.yaml file.
Of course, depending on the size of the file you are passing along for scanning, it could be that the actual time it takes to transfer and scan the contents of it could be longer than you would like the client to be waiting. In such a case, consider handling these requests fully asynchronously by returning a 200 OK response when the file-stream has been received and trigger notifications, for example using MediatR.Publisher, to update the client with the actual results of the file-scanning.
Once you are ready to have everything running in Azure, you will want to include the setup of the Azure Container Instance as part of your automated deployments. To achieve this, you can utilize the provided Bicep file to create the container instance and have it linked to the container image mentioned earlier.
As a side-note, even though Azure Container Instances is being used in this example, as this is a light-weight solution and we don’t have too many simultaneous requests coming in, you could of course also make use of Azure Container Apps in case you are looking for a more scalable solution. Do keep in mind that ACA might require a bit more configuration and tweaking compared to ACI.
One thing to keep in mind though is that the ClamAV container has a default file size limit of 25MB. However, you can increase this limit by creating a custom clamd.conf file and increasing the StreamMaxLength-value. For example, if you want to set the file size limit to 1GB, you will have to set the value to 1000M.
To import the custom configuration file into the container, you can mount a custom file share (Storage Account) that requires a Shared Key for access. Once this volume has been mounted, set the CLAMD_CONF_FILE environment variable to point to the custom configuration file on the mounted file share.
During development, when running the container locally, you won’t have to point to an online file share of course. You can simply modify your docker-compose.yml file as shown below:
Of course, adding a custom configuration file and mounting a file share should also be part of your automated deployment process. To achieve this you can use the deployment Script-resource type to upload the file onto the Storage Account, before triggering the creation of the container instance.
With ClamAV, you can add an extra layer of security to your application by validating uploaded files’ content. This can help prevent malware and viruses from entering your system, protecting your data and your users. Setting up and running ClamAV in a Docker container is straightforward, and customizing it to your needs is easy. By following the steps outlined in this article, you can ensure your application is secure against file-based threats.