Server

Adding an Antivirus

Updated: December 19, 2024

This is a recurrent demand from our customers. So here is a quick guide to add an antivirus scanner when uploading blobs in Nuxeo documents.

This page describes the main principles and steps to integrate an antivirus with Nuxeo Platform.
However, this integration has never been implemented or tested by Nuxeo team. And it may require more efforts to plug all the services which manipulate files and blobs.

Main Guidelines

One way to implement an antivirus scan for uploaded documents without any significant performance hit at creation time would be to:

  1. configure two BinaryManager stores, e.g. repo-cleared and repo-quarantine,
  2. define an aspect of each blob that specifies whether it is quarantined or not, for instance the MIME type could contain ";quarantined=true" if the blob is to be quarantined,
  3. configure a BlobDispatcher to dispatch blobs to the appropriate BinaryManager depending on the value of the MIME type.
  4. optionally define a new facet for documents to contain general information about the quarantine status of the document's blobs, to be reported to the user.

Whenever a new blob is uploaded and attached to a Nuxeo document the BlobDispatcher would first delegate the insertion to the repo-quarantine instance of BinaryManager.

A new Nuxeo synchronous core event listener would also react to the aboutToCreate or beforeDocumentModification event and introspect whether one of the blob fields is dirty. If so, the MIME type of the blob would be updated to add ";quarantined=true" to mark the new blob as being quarantined for antivirus analysis and a new asynchronous task would be scheduled using the WorkManager that would delegate a call to the antivirus service out of transaction and then collect the outcome of the antivirus as follows:

  • If the antivirus outcome is negative (no virus detected): the WorkManager task would update the blob's MIME type to remove the ";quarantined=true", which would instruct the BlobDipatcher to move the blob to the repo-cleared BinaryManager. The WorkManager task could also update the document's specific facet to inform the user (e.g. with a dedicated blob widget) that the document does not contain a suspect blob.

  • If the antivirus outcome is positive (a virus is detected in the attached file), the WorkManager task would just update the document facet to inform the user of the outcome of the analysis. The user could then decide to delete the contaminated blob attachment (or the system could be configured to do it automatically).

Permissions

Furthermore it would be very useful to make the event listener manage a new local ACL that would render documents with blobs in quarantine only visible to the user who uploaded the last blob until it is moved out of quarantine or deleted. This feature would have the following purposes:

  • Never propagate a contaminated blob to other users by denying access to the documents that contain contaminated files.
  • Do not disrupt too much any existing Nuxeo components (e.g. Nuxeo Drive 1) that usually expect any uploaded blob in a document to be immediately available.
  • Make it possible for the uploader to introspect the state of the virus analysis by making a custom blob widget.

Implementing such extensions to the Nuxeo platform is possible but might not be easy for non-core Nuxeo developer.

 

1: Such an ACL might still make updated document temporarily look as if deleted to other Nuxeo Drive users while the antivirus analysis is taking place.