AntiVirus for Files No Longer Scanning Uploads

Nextcloud version: 27.0.2
Operating system: Debian 12
Install method: Manual install on my own Apache and MariaDB/MySQL setup

I’ve been hosting my own Nextcloud on this machine for years and I noticed recently that the “antivirus for files” app is no longer scanning files at upload time. The background scan “seems” to be functioning fine because while trying to figure this out, I got a random notification that my test virus was infected and it got deleted, but it did not happen at upload time. I can create a new EICAR test virus and it will sync without issue and not get spotted until the next background scan.

I’ve tried adjusting the app/security settings for the antivirus to use the clamd socket file, which I’ve shown exists and is listening (netstat -a | grep clam). I’ve tried using the “ClamAV executable” using clamav, clamdscan and clamdscan --fdpass as the executables. All of these options “save” without issue, which tells me that they should be working because if you enter incorrect options the save button will output a message “unexpected scan results for test content”, so I’m guessing that when you save options it has its own test virus it scans to make sure it’s functional.

I’m just really not sure why it’s not scanning files at the time they’re uploaded/synced any more, if the commands give me a green light when I save them in the settings.

Just out of curiosity I observed what permissions Nextcloud itself gave to new files and folders when they were uploaded and I chmod-ed my data directory to match to make sure my permissions were correct. I’m not crazy about the “others” label having read access, but that’s what Nextcloud itself does when you make a new folder or upload a new file, so that’s what I applied to the whole data directory to make sure it wasn’t an issue with permissions.

directories = 755
files = 644

So it appears to be specific to the Nextcloud desktop app. My laptop is also using Debian and I’m using version 3.7.3 of the Nextcloud desktop app that comes from the Debian repos.

If I try to manually upload a test virus using the web interface, the file is immediately scanned and denied, so it appears the on access or on upload scanning is functional. However, if I place a test virus in a folder that then gets synced by the desktop app, the file gets uploaded/synced without issue and does not seem to get noticed until the next background scan takes place. Either that, or files synced via the desktop app are getting placed into some sort of queue and then scanned several minutes after upload. I can verify via the web interface that the files do in fact get uploaded and do not get instantly denied like they used to. I’m not sure what the frequency of the background scan is, but if it’s a background scan of “all files” like the admin manual says, it seems more likely that the latter is the case. I’m just trying to understand what’s going on and why it only seems to affect the desktop app.

Attempting to upload a test virus with the mobile app also results in it getting scanned and blocked. The issue with a delay in scanning seems to only affect the Linux desktop app, at least as far as my use case goes. I don’t have any Windows machines to test that version.

hello there - i am encountering the same issue here (NC 28.0.5). The test file gets blocked when uploaded via webinterface. but any uploads from my mac os sync client won’t be stopped.

@gerowen, did you eventually solve your problem?

Update:
I just found out, that scanning uploaded files via sync client is not implemented. The scope of the antivirus app is only the web uploaded files:

Negative. Files synced with the Debian desktop client (haven’t tried the AppImage or Flatpak) don’t get scanned automatically. Files uploaded via the mobile apps or the web interface do get properly scanned at the time of upload. Since making this post I have updated my Nextcloud server to version 29. Files sync’ed via the desktop client do eventually get picked up during background virus scans.

Update: I just uninstalled the Debian package “nextcloud-desktop” and downloaded the official AppImage from their website. It also did not trigger an immediate virus scan of the EICAR test virus when syncing files.

I also tried copying the file directly into my Nextcloud folder via WebDAV, instead of letting the desktop client “sync” it. That resulted in the upload being blocked.

So WebDAV uploads, web UI uploads and files synced from the mobile apps are all being scanned on upload and being blocked from being uploaded in the first place if an infection is discovered. Files synced from the desktop client aren’t.

Somehow I missed the end of your post where you linked the other topic, but that makes no sense. Uploads from the desktop app USED to be blocked. I would literally get a notification on my desktop telling me a file upload was blocked because XYZ virus was detected. The feature must have been removed for some reason.