13 Replies Latest reply on Sep 21, 2018 5:30 PM by Barry Lindstrom

    Anti virus Attachment Plugin?

    Barry Lindstrom

       

      Per the BMC documentation on validating attachments to be free of viruses:

       

      Attachment

       

      validation

       

      plugin name

       

       

      Name of the custom validation plug-in that you developed for verifying attachments.

       

      The custom validation can perform any function per your requirements. You can develop the plug-in for performing functions like verifying

       

      the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the

       

      extension for uploading the attachment, and so on.

       

      Example: EXAMPLE.ARF.SIMPLE (name of the custom plug-in that you developed)

       

      Has anyone built or purchased such a beast?

       

       

       

        • 1. Re: Anti virus Attachment Plugin?
          Laurent Matheo

          Hi Barry Lindstrom

           

          vinita posted a code a long time ago that seemed to work:

          ARFilterApiCall custom validation plug-in

           

          There was a KB but I don't know if it's still available:

          Virus Scanning of Attachments in ITSM 7.6.04

          2 of 2 people found this helpful
          • 2. Re: Anti virus Attachment Plugin?
            Stefan Hall

            well found, unfortunately the most important links are dead or the pages are no longer available. Very sad for an important security issue.

            I would rather expect a better solution from the manufacturer, but nobody shares/votes my idea. Security doesn't seem so important to others yet

            1 of 1 people found this helpful
            • 3. Re: Anti virus Attachment Plugin?
              Laurent Matheo

              Actually it is an important topic... Did you contact support to see if they had an updated kb?

              LJ LongWing.

              • 4. Re: Anti virus Attachment Plugin?
                Barry Lindstrom

                Yes I have opened a ticket with support.  I will keep you informed of the results.

                 

                Use of command line Symantec is a possibility, but that would be client side and require standard symantec configuration on some 250,000 workstations accompanied by some remedy workflow with dynamic run process commands...possible but not a very desireable solution.

                • 5. Re: Anti virus Attachment Plugin?
                  Laurent Matheo

                  Oh my apologies, the first link is not publicly available...

                  Here is a part of the code I cleaned up, it is not correct that was the point of the question as it was not throwing an exception when the file was not correct, so here is the code that needs modification and then my answer:

                   

                      public static String ARFilterApiCall(String username, String files,
                                                         String timestamp,
                                                         String documentStatus) throws SQLException {
                          //int status = 0;
                          String status = null;
                          try
                          {
                              //filepath per unix
                              //String filePath = rootSaveAttachment + '/'+  fileName;
                  
                              //filepath per win
                              String filePath = rootSaveAttachment + '\\' + files;
                              logger.info("Path file :   " + filePath);
                             
                              File f = new File(filePath);
                              logger.info("getAbsolutePath :   " + f.getAbsolutePath());
                             
                              long fileLength = files.toString().length();
                              String fileExtension = SecureFileUpload.getFileExtension(f);
                              String fileName = filePath.substring(f.getAbsolutePath().lastIndexOf(File.separator) + 1);
                              logger.info("fileName :   " + fileName);
                              String start = fileName.substring(0, 3);
                  
                              if (fileLength > 255)
                              {
                                  documentStatus = "Error fileLength > 255";
                                  logger.error("Status error :   " + documentStatus);
                                  status = "Error";
                                  f.delete();
                              }
                              else
                              {
                                  documentStatus = "The file was sent for scanning.";
                                  logger.info("Status :   " + documentStatus);
                  
                  
                                  try
                                  {
                                      // Call your AVN scanner here, I have put junk in the call code and exceptions.
                                      if (scanFileHasAlerts(filePath))
                                      {
                                          f.delete();
                                         
                                          logger.warn("Document " + f.getAbsolutePath() + " has alerts");
                                      }
                                  }
                                  catch (scanException e)
                                  {
                                      documentStatus = e.getLocalizedMessage();
                                      status = "Error";
                                      logger.error("Error in scanFileHasAlerts() - scanning of the document " + f.getAbsolutePath() + " has failed", e);
                                      throw e;
                                  }
                                  catch (Exception e)
                                  {
                                      documentStatus = e.getLocalizedMessage();
                                      status = "Error";
                                      logger.error("Error in scanFileHasAlerts() - scanning of the document has failed", e);
                                  }
                              }
                          }
                          catch (Exception e)
                          {
                              documentStatus = e.getLocalizedMessage();
                              status = "Error";
                              logger.error("Error in scanFileHasAlerts() - scanning of the document has failed", e);
                          }
                  
                  
                          openConnection();
                          insertOnDB(username, files, getTIMESTAMP(), documentStatus);
                          closeConnection();
                         
                          return status;
                      }
                  
                  
                      public List<Value> filterAPICall(ARPluginContext context,
                                                       List<Value> list)
                      {
                          //int scanResultStatus = 0;
                          String scanResultStatus = null;
                         
                          for (Value v : list)
                          {
                              String username = context.getUser();
                              AttachmentValue attachment = (AttachmentValue)v.getValue();
                              String files = attachment.getValueFileName().toString();
                  
                  
                              context.logMessage(0, "** filterAPICall: " + username);
                              context.logMessage(0, "** filterAPICall:  attachment: " + attachment.getValueFileName());
                              logger.info("** attachment: " + attachment.getValueFileName());
                              logger.info("** username:   " + username);
                  
                  
                              try
                              {
                                  //for unix
                                  //File file = new File(rootSaveAttachment + '/'+  file);
                                  File file = new File(rootSaveAttachment + '\\' + files);
                                  FileOutputStream fos = new FileOutputStream(file);
                                  BufferedOutputStream bos = new BufferedOutputStream(fos);
                                  bos.write(attachment.getValue());
                                  bos.flush();
                                  bos.close();
                                  String documentStatus = null;
                                  String timestamp = getTIMESTAMP();
                                 
                                  scanResultStatus = ARFilterApiCall(username, files, timestamp, documentStatus);
                                 
                                  logger.info("** scanResultStatus:   " +  scanResultStatus);
                              }
                              catch (Exception e)
                              {
                                  logger.error("Error in scanFile() - scanning of the document has failed", e);
                              }
                          }
                          ArrayList<Value> outValues = new ArrayList<Value>();
                          outValues.add(0, new Value(scanResultStatus));
                         
                          return outValues;
                      }
                  

                   

                  The problem was that the code was not throwing an ARException when it was failing:

                  Hummmm ok...

                  I wonder if you don't need to throw an exception (an ARS one) if the file isn't ok actually...

                  Here taken from a plugin I coded for something else, I don't have eclipse or a test environnement right now so I cannot test but my idea would be, in case of error, to throw an ARException object with an Error code.

                   

                  IMHO, ARS is waiting for an ARException, and since it does not "see" it, it thinks your file is validated... It's just a thought though, I can't test right now...

                   

                  package lmapalert;
                  
                  //include
                  import com.bmc.arsys.api.*;
                  import com.bmc.arsys.pluginsvr.plugins.ARFilterAPIPlugin;
                  import com.bmc.arsys.pluginsvr.plugins.ARPluginContext;
                  import com.bmc.arsys.api.ARException; 
                  
                  //Java
                  import java.util.*;
                  
                  //Constants
                  import static com.bmc.arsys.api.Constants.*; //For constants...
                  
                  //Used for login what we are doing.
                  import org.apache.log4j.Logger;
                  
                  public class lmapalert extends ARFilterAPIPlugin  {
                  
                    //This is mandatory. ARS calls this entry.
                    //Input:
                    //context:: Current context in ARS
                    //paramList:: Parameters
                    //Output:
                    //paramList:: JSON text
                    //Throws:
                    //Throw an exception (ARS Type).
                    public List<Value> filterAPICall(ARPluginContext context, List<Value> paramList) throws ARException {
                    //We prepare the result array (sent by the plugin to ARS).
                    List<Value> results = new ArrayList<Value>();
                     //(...)
                  
                     //Let's say file is wrong, we throw an ARException
                     boolean isError=true;
                     if (isError){
                          new ARException(Arrays.asList(new StatusInfo(Constants.AR_RETURN_ERROR, 1001, "File is not authorized")));
                      }
                  
                       //Sending back the result to ARS
                       return results;
                    }
                  
                  
                  }
                  
                  3 of 3 people found this helpful
                  • 6. Re: Anti virus Attachment Plugin?
                    LJ LongWing

                    This is actually a topic I'm taking a personal interest in at the moment....:)

                    2 of 2 people found this helpful
                    • 7. Re: Anti virus Attachment Plugin?
                      Barry Lindstrom

                      I thank you for the code, but

                      that wooshing sound you hear is this answer flying WAY OVER MY HEAD!

                       

                      Here is the reply from BMC Support:

                       

                      My colleague only got so far as to register the plugin and
                      to get it to respond. He hasn't had the capacity to get a functional prototype
                      of his plan, which is to set it up so all that need doing is to provide some
                      parameters in order to call any security product.

                      Did you have any other questions or are we good to close out this case?

                       

                      I read this as "It can be done, so there is no problem"

                       

                      We are attempting to identify a Wells Fargo "security product" that we can call from a plugin on our servers.

                      But first we have to find the right Wells Fargo group to ask. (3 groups have denied knowing what we are talking about

                      and we are still waiting for group 4 to disavow.

                       

                      PERHAPS, when we find this security product, the above code will help, but right now we are still looking for sombody

                      who has implemented virus scanning as a part of the Attachment Security configuration who can 'splain the process so

                      even this simple Remedy developer can understand it.

                      • 8. Re: Anti virus Attachment Plugin?
                        Mark Walters

                        The attachment scanning feature provides a hook that allows you to configure a plugin to which files being added to attachment fields will be passed.  This plugin, which you need to write, is expected to accept the attachment file being passed to it and perform some sort of activity on it before sending back a status value.  The status can be one of OK, WARNING or ERROR.  If I understand the docs correctly:

                         

                        OK             the attachment is saved in the database

                        ERROR     the attachment is rejected

                        WARNING the attachment data returned from the plugin is used by the server and saved (in the case that an AV solution has cleaned the file?)

                         

                        Exactly what the plugin does is up to you but I think you will need an AV solution that has some form of API which allows you to send a file for scanning.  You may be able to construct a plugin which spawns a command line tool but I suspect that would less reliable.  There are cloud based scanners but your business requirements may not allow you to use these.  The gory details of what the plugin does and how it does it will depend on the specifics of your AV solution.

                         

                        Does that help?  Apologies if you had already worked this out!

                        • 9. Re: Anti virus Attachment Plugin?
                          LJ LongWing

                          Barry,

                          I believe I have something that may make this work....I would like to get with you offline to test and troubleshoot my solution and see how it'll work for you.

                          1 of 1 people found this helpful
                          • 10. Re: Anti virus Attachment Plugin?
                            Barry Lindstrom

                            Thanks LJ, I will be contacting you shortly.

                            As I indicated, Wells Fargo needs to identify the security product we need to interface with then we can proceed with connecting it to Remedy

                            • 11. Re: Anti virus Attachment Plugin?
                              Barry Lindstrom

                              LJ has supplied us with the alpha version of his Java Plugin. (THANKS LJ!)  We have it installed and we believe we can get this to work IF our security people ever identify the server side virus scanning software that will do the work. 
                              (Please note this is a utility that is NOT supported by BMC.) 

                              • 12. Re: Anti virus Attachment Plugin?
                                Barry Lindstrom

                                I am now working with Symantec Engineers to determine what product they recommend for server side, command line, inidividual file scanning.