This is a plugin that brings antivirus support to CRS.
The plugin is able to scan these parts of the request:
- uploaded file (enabled by default, see below)
- body (disabled by default, see below)
Communication with antivirus software is performed using a bundled Lua script and has following characteristics:
- no external programs or tools are executed (no forking etc.)
- no need for extended permissions
- antivirus software does not need to run with extended permissions to access scanned data
Please note, that the antivirus plugin will not raise anomaly score, but block a request carrying a virus immediately.
Currently, only ClamAV antivirus is supported but we are planning to add support for other antivirus software as well.
- ModSecurity compiled with Lua support
- LuaSocket library
- ModSecurity
SecTmpSaveUploadedFilesdirective isOnorSecUploadKeepFilesdirective is set to eitherRelevantOnlyorOn
Most modern distro packages come with Lua support compiled in. If you are unsure, or if you get odd error messages (e.g. EOL found) chances are you are unlucky. To be really sure look for ModSecurity announce Lua support when launching your web server:
... ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/) configured.
... ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
... ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
... ModSecurity: LUA compiled version="Lua 5.3"
...
If this line is missing, then you are probably stuck without Lua. Check out the documentation at coreruleset.org to learn how to get Lua support for your installation.
LuaSocket library should be part of your linux distribution. Here is an example
of installation on Debian linux:
apt install lua-socket
For full and up to date instructions for the different available plugin installation methods, refer to How to Install a Plugin in the official CRS documentation.
All settings can be done in file plugins/antivirus-config.conf.
This setting can be used to disable or enable antivirus scanning of uploaded files (FILES_TMPNAMES variable).
Values:
- 0 - disable antivirus scanning of uploaded files
- 1 - enable antivirus scanning of uploaded files
Default value: 1
This setting can be used to disable or enable antivirus scanning of request bodies (REQUEST_BODY variable). Be carefull while enabling this feature as it may use lots of system resources (depends on your usecase and environment).
Values:
- 0 - disable antivirus scanning of request bodies
- 1 - enable antivirus scanning of request bodies
Default value: 0
Maximum data size, in bytes, which are scanned. If data are bigger, the request is allowed and error is logged into web server error log.
Default value: 1048576
Timeout, in seconds, for connection to antivirus. If this timeout is reached, the request is allowed and error is logged into web server error log.
Default value: 2
Connection to ClamAV antivirus can be done either by unix socket file or TCP/IP.
Values:
- socket - connect using unix socket file
- tcp - connect using TCP/IP
Default value: socket
You need to set full path to the unix socket file if
tx.antivirus-plugin_clamav_connect_type is set to socket.
Default value: /var/run/clamav/clamd.ctl
You need to set IP address or hostname if
tx.antivirus-plugin_clamav_connect_type is set to tcp.
Default value: 127.0.0.1
You need to set port if tx.antivirus-plugin_clamav_connect_type is set to
tcp.
Default value: 3310
Data are not send all at once into ClamAV but are splitted into chunks. Using
this setting, you can set the chunk size, in bytes. Make sure that this setting
does not exceed StreamMaxLength as defined in ClamAV configuration file
clamd.conf.
Default value: 4096
After configuration, antivirus protection should be tested, for example, using:
curl http://localhost --form "data=@eicar.com"
Using default CRS configuration, this request should end with status 403 with
the following message in the log:
ModSecurity: Access denied with code 403 (phase 2). String match "{HEX}EICAR.TEST.3.UNOFFICIAL" at TX:antivirus-plugin_virus_name. [file "/path/plugins/antivirus-before.conf"] [line "11"] [id "9502110"] [msg "Virus {HEX}EICAR.TEST.3.UNOFFICIAL found in uploaded file eicar.com."] [data "Virus {HEX}EICAR.TEST.3.UNOFFICIAL found in uploaded file eicar.com."] [severity "CRITICAL"] [ver "antivirus-plugin/1.0.0"] [tag "capec/1000/262/441/442"] [hostname "localhost"] [uri "/"] [unique_id "Yefjb9gVcLh21zSVoqRv5wAAAFs"]
Get eicar test file from https://secure.eicar.org/eicar.com.
Any antivirus solution is useless without good virus signatures. Below is a list of virus signatures suitable for protection of web applications.
| Antivirus Software | URL | Type | Note |
|---|---|---|---|
| ClamAV | https://www.rfxn.com/projects/linux-malware-detect/ | PHP malware | free of charge |
| ClamAV | https://malware.expert/signatures/ | PHP malware | commercial |
Copyright (c) 2021-2022 OWASP CRS project. All rights reserved.
The OWASP CRS and its official plugins are distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.