An often overlooked app is the Anti-virus app for Nextcloud. It allows admins to run all files that are uploaded through the ClamAV antivirus scanner. Some recent improvements decrease the overhead this caused on the server, providing an opportunity to cover the app and its roadmap!
Introducing the anti-virus app
The description of the app on github is quite adequate:
When the user uploads a file, it's checked
Infected files will be deleted and a notification will be shown and/or sent via email
It runs a background job to scan all files
The app can be configured to work with the executable or the daemon mode of ClamAV. If this is used in daemon mode it can connect through network- or local file-socket. It then sends files to a remote/local server using the INSTREAM-command.
The virus scanning of course comes with some overhead. All uploaded files are scanned automatically and there is a background job that keeps scanning files so all files do get scanned.
We strongly recommend to run in daemon mode, as this saves significant resources on the server. You can either connect to a local socket or run on a separate server.
Also note that while clamAV provides an extra layer of virus/malware protection but does not replace protection on client devices!
Roadmap
The developers have ideas on what to add and are asking for your input and thoughts, ideally submitted in the repo as pull requests or issues!
Can somebody help me understand the risks of not having this antivirus app enabled in Nextcloud and which attack vectors it actually prohibits?
Sounds probably stupid probably and I don’t mean it offending in any way, I would only like to understand. So which options might an attacker have, which could have a high chance of success to justify the effort of writing the code?
I think about executables at first, which easily cause a lot of damage when executed on a PC. However, Nextcloud doesn’t execute these executables anyway, right?
When I think about code embedded in picture files, that make use of vulnerabilities in picture viewer software, I come to think that it is probably easier to attack PC software instead of hoping, that someone is uploading the infected picture to an NC server where it can then finally do its work. An anti-virus tool on the PC should very well handle that additionally.
If an attacker gains access to the server via another vulnerability (buffer overflow in the web server for example) he wouldn’t be dependent on already uploaded files, right?
I want to make my server as safe as possible, but I want to keep the data of my users as private as possible at the same time. And trying to balance that, I’m a bit concerned, that the anti-virus app might cause a dis-balance when it logs the file scans and informs me about file names of other users without bringing the real advantage in security.
I hope you understand my concern and pinpoint me to realistic threats for NC servers. Still being new to the web server project, I really don’t know, yet.
I think it isn’t about the server itself. It can help if a client uploads an infected file that it isn’t distributed to all other synced devices or even spread over shares. Perhaps some companies require such solution as part of their security policy, on a private server, the free clam-av only detects very old stuff, it won’t work for client-side encryption …
Nowadays you can even start to discuss the benefits of a virus scanner on your desktop computer since there have been a couple of serious security issues with popular products in the past. But that shouldn’t be discussed here (risks to be a very “religious” discussion).
One example would be the prevention of spreading Microsoft Office files with malicious macros inside them. They are still the most common way to get infected with ransomware and other nasty stuff. But then ClamAV would have to detect them, which (given its general detection rate) can be questioned if it is able to that effectively anyway.
In the past, the Antivirus app (ClamAV actually) consumed a lot of RAM which resulted in killed processes showing up in the logs. I hope this is fixed at least.
The description of the app on github is quite adequate:
When the user uploads a file, it's checked
Infected files will be deleted and a notification will be shown and/or sent via email
It runs a background job to scan all files
File size limit
Configuration Tuneups
Wider OS testing
Looking for ideas