Forum Discussion
strongarm_46960
Nimbostratus
NimbostratusVirus scan attachments
During sessions through F5 LTM ASM, clients sometimes upload files to our internal DMZ filesystems, we would like to Virus scan any unexpected and expected mime-types attachments before it reaches the trusted area.
Virus-scan all attachments, preferably at the dirty side where LTM ASM is located.
I am not sure it would be possible to iRule this requirement, since file-handle is disabled in iRule, any idea on how LTM ASM be tricked into sending any request with an embedded file attachment to an Anti-Virus server possibly ClaimXav located in the same VLAN, once scanned, then LTM ASM collects the scanned files and continues her defined journey.
Can you safely say that the ASM will do the job of detecting infected web attachments?
1 Reply
hoolioCirrostratus
Hi jquadri,
ASM does not support scanning HTTP file uploads. In fact, as file uploads can typically be binary content, you're pretty much limited to validating the size of the upload. You can restrict what file extension is used by configuring a parameter for filename on the request with a regex to describe the parameter value. Something like this would perform a case insensitive check for .txt, .doc, .rtf and .pdf files: (?i)^[-a-z0-9._+ /\&]+\.(?:txt|doc|rtf|pdf)$
You could try to collect the HTTP payload for POST requests to pages which accept file uploads and use HTTP::retry to send the request to a scanning server and then to the pool, but you're limited to 4Mb of payload collection per TCP connection (Click here). And it would probably add significant overhead.
You might be better off trying to perform the validation on the web or app server for now. F5 uses ClamAV for Firepass. Maybe you could open a case with F5 Support asking them to provide file upload validation locally.
Aaron
