-
-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration of Clamav for verifying uploaded files #711
Comments
Hey folks, sopratutto @evilaliv3, I am bumping this issue with two different possible approaches to solving the underlying issue which is:
In order to make it harder for the average attacker to take control of a recipient's machine, scanning submitted files for viruses with known signatures makes sense. There are two points in the submission process where this can be done if GPG encryption of files is performed and one more if it is not.
Case 1The only extra step for this is updating the documentation with the recommendation that receivers install an Anti-Virus from a vendor they trust. Case 2The big change would be the inclusion, usage and periodic update of ClamAV. The debian package would have to configured to not send any information to the vendor. It would also require trusting the Cisco Talos team to not have intentionally backdoored the product which is possible. Further the routines related to GLTemporaryFile would have to change, along with the Submission work flow to pass the raw file maybe via a pipe to a ClamAV subproccess to do the scanning. Its not clear to me if it is better to have one ClamAVScanner running or one created for every file submission, but I think either way would work. I think this is the best approach if GlobaLeaks is to be used as an all in one appliance. Case 3This situation is very similar to Case 2 with relaxed constraints. A background process could very easily be scheduled to scan the unscanned files on disc and mark the dangerous ones in the |
Hello @NSkelsey ! and than you for the important feedback on this topic. We generally discarded to move forward this ticket for two reasons, but lets see what we can now do for it:
|
The current implementation of the encryption schema now enables to implement this feature. It is now possible to run a sandboxed version of an antivirus to check offline for the presence of a malware inside an uploaded file. |
This same analysis has been as well proposed by Eduar Martin Borrgon of Poder/Mexicoleaks |
We see this option as really necessary to effectively implement the new encryption of the Globaleaks 4. For us, we feel responsible for our users security, to move from decrypt in computer to decrypt in server will mean put aside Tails and make all in the users computers. As México and Latin America journalist and activist face many spy threats, put some barriers to malware and spyware is a must. |
Thank you @emartinborregon for your valuable feedback! Could for the moment users just use Tails directly when downloading the files? Integration of an antivirus would probably take time more than resource constraits for research aspets:
Have you by any chance already analyzed the points above? |
Update: We are finally collaborating with the Italian National Authority for Anticorruption on the implementation of a first integration with an Antivirus and specifically with the Clamav Here are current evaluations and ideas. From an high level point of view we have identified that:
From an implementation point of view:
|
I've remodeled the ticket to precisely track the analysis of the implementation proposed in #4314 and evaluate the change needed to make it conform to our specs and proceed with a possible integration. Status of the current implementation:
Actions necessary to possibly integrate same functionality:
To guarantee appropriate code coverage probably it should be enough to edit existing browser tests to enable the antivirus and modify the existing whistleblowing module tests loading the EICAR test files are specifically developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus programs. |
Changes: - Add 'antivirus_enabled' variable to make it possible to enable/disable the functionality via UI - Edit the set of 'antivirus' variables to enable type checking on the configuration of the ClamD endpoint
I've proceeded with the full revision of the proposed changes to database included in this implementation. The revisions consider to be just changes in naming necessary for globaleaks for international naming conventions and code consistency that are:
We have avoided other structural changes understanding this could have major requirements in the refactoring of the code proposing the minimum changes necessary and proposing only the changes already previously indicated. |
@joeman65 @alessiofranceschini: We are trying to test this component but i think we need some clarification. We see used a local API http://localhost:3000/api/v1/scan ; which is the software that offer this is API? |
This ticket is to integrate globaleaks with antivirus scanning capabilities.
The antivirus scanning must work trough a generic filter server, by using the ICAP protocol, to interact with an ICAP server taking care of the antivirus scanning.
By using such a modular filtering, standard based approach, we can integrate with SquidClamav software, that can potentially:
In future we may integrate MAT cleanup, as an ICAP server, using the very same batch/content filtering logic applied for antivirus.
It must be notes that, by employing an ICAP based architecture for file filtering, also GnuPG operations could be moved outside globaleaks main process with a dedicated "encryption server" .
The text was updated successfully, but these errors were encountered: