Antivirus Scanning (AV)

Antivirus scanning provides real-time protection against malicious files by scanning uploaded content. This feature helps prevent malware from being uploaded to your application.

Architecture

flowchart TD
  A[Client Request]
    --> B{HTTP method == POST?}
  B -->|No| C[Skip AV scanning]
  B -->|Yes| D{Content-Type == multipart/form-data?}
  D -->|No| C
  D -->|Yes| E[Run antivirus scan]

  E --> F{AV scan result}
  F -->|Clean| G[Forward to upstream]
  F -->|Infected| H[Block request / Return 403]

  C --> G

Configuration Structure

av_scan:
  - name: test_av_scan
    rule: (http.request.uri.path starts_with "/")
    enabled: true

Configuration Options

Name

• Type: String
• Required: Yes
• Description: Unique identifier for the antivirus scan rule
• Example: name: "test_av_scan"

Rule

• Type: String
• Required: Yes
• Description: Wirefilter expression to match requests
• Example: rule: (http.request.uri.path starts_with "/")

Enabled

• Type: Boolean
• Default: true
• Description: Whether the rule is active
• Example: enabled: true

Best Practices

1. Scan all file uploads
2. Use specific path matching in rules
3. Monitor scan results
4. Keep antivirus definitions updated
5. Log scan results for analysis

Example Configurations

Basic Scanning

av_scan:
  - name: "scan-all-uploads"
    rule: (http.request.uri.path contains "/upload")
    enabled: true

Targeted Scanning

av_scan:
  - name: "scan-documents"
    rule: (http.request.uri.path contains "/documents")
    enabled: true
  - name: "scan-images"
    rule: (http.request.uri.path contains "/images")
    enabled: true

Common Use Cases

1. Document Uploads: Scan uploaded documents for malware
2. Image Uploads: Check images for malicious content
3. File Sharing: Protect file sharing functionality
4. User Uploads: Secure user-generated content

Related Topics

• Global Settings
• Upload Limits
• WAF Rules