ClamAV is an open-source antivirus engine that provides robust malware detection and prevention capabilities. Its primary purpose within the system is to scan uploaded files for potential threats, ensuring that malicious files are identified and handled appropriately before they can compromise the system or its users.

File Handling and Antivirus Configuration

The integration of ClamAV antivirus is designed to enhance the security of file handling processes. 

File Size and Scanning Limits

The platform setting, antivirus.max.file.size, determines the maximum file size that ClamAV can scan. By default, this value is set to 25 MB. It is important to note that increasing the maximum file size will result in longer scanning times and may lead to performance issues. This platform setting applies to file access via both the WebAPI and the REST API.

For files that exceed the defined maximum size, users are presented with a popup offering them the option to either download the file or cancel the operation. The warning message displayed in this popup is as follows:

"The file is too large to be scanned by the anti-virus service. Maximum file size is {platform_setting_value}. Do you still want to download the file?"

If the user chooses "Yes," the file is downloaded. If the user selects "No," the file is not downloaded. This popup functionality must be available in both the Classic UI and the Agent UI.

Error “Antivirus service not available, file not scanned. Downloading the file”

If this error appears:

• Common reason is that the file is relativity small, but contains a lot of data to scan, like compressed files, PDFs etc. 
• For example, a PDF file can be only 6MB in size (lower than the default antivirus.max.file.size of 25MB), but ClamAV actually has to scan over 100MB and it is unable to finish it within antivirus.timeout.period and Tomcat / Apache connection timeout.

If the antivirus.timeout.period is increased and the following errors appear:

• Users doesn't get the antivirus error in UI.
• ESM backend will get either the scanning results and store them in DB, or it will hit the antivirus.timeout.period and print the error in to the logfile.

In this case the Tomcat / Apache timeout (5 minutes) is shorter than the  antivirus.timeout.period multiplied by antivirus.retry.count. 

Cloud Environment Support

ClamAV scanning is available in cloud installations. In instances where ClamAV is not enabled, file downloads continue to work as normally.

File States and Virus Scanning

The has two file states: Scanned - safe, Scanned - harmful, and Not scanned / null. 

The default state for all new files is Not scanned / null until they are scanned for the first time. 

A fourth state, Pending rescan, is used during antivirus service timeouts or outages.

Scanning Workflow and Quarantine Management

The system checks the virus database update time to determine whether a file needs to be rescanned. If the database has been updated since the last file access, a ClamAV scan is triggered when the file is accessed. If the database has not been updated, no additional scan is initiated. These checks apply to both user and integration file access.

Scanning Logic

When a file scan is requested, the system ensures that only one ClamAV scan is executed, even if multiple concurrent requests are made for the same file.

If ClamAV determines that a file is harmful, the file is marked as harmful in the ESM database and moved to a quarantine folder. Information about the quarantined file is logged in the efecte_security.log file with a WARN-level entry. The file's state is updated to Scanned - harmful. Quarantined files are visible in the data card, edit mode, and view mode. However, interaction with quarantined files is restricted to deletion.

If ClamAV determines that a file is safe, the file state is updated to Scanned - safe, and the file remains accessible to users. For both harmful and safe outcomes, the system updates the last scan time of the file.

ClamAV Service Unavailability

In scenarios where the ClamAV service is unavailable, the system retries the scan if there is no timeout. The timeout threshold is configurable. If a scan request results in a timeout, the file state is updated to Pending rescan, but the file remains accessible to users and integrations.

Quarantine Management

The system allows limited interactions with quarantined files. Users can delete quarantined items via the  UI. Quarantined items are inaccessible via the REST API or WebAPI.