Skip to content

Scan with Antivirus

Scan files by sending them to a Clamd server.

Clamd is a de-facto open source standard for antivirus scanning. This Flow assumes a Clamd server is running and can be accessed either locally (unix socket) or remotely (tcp socket).

Once scanned, infected files can be put in a dedicated Quarantine folder. If scan fails for other reasons, files are tagged to alert that they could not be scanned properly.

Parameters

Name Type Default Mandatory Description
ServerProtocol select, possible values: unix (unix), tcp (tcp) tcp true Select protocol used to access server.
ServerAddress text IP:PORT true Select server address. Use IP:PORT for tcp or file path for unix protocol.
QuarantineFolder text pydiods1/QUARANTINE true Folder where to move files when a virus is detected.
TagInfected text infected true Tag file with this value when a virus is detected.
TagFailed text scan-failed false Tag file when virus detection failed (result is unknown).

Trigger Type

Event-based

JSON Representation

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
{
  "Label": "Scan with Antivirus",
  "Owner": "pydio.system.user",
  "Metadata": {
    "Description": "Scan files by sending them to a Clamd server",
    "Icon": "mdi mdi-bug",
    "TplCategory": "content-processing",
    "Usage": "Clamd is a de-facto open source standard for antivirus scanning. This Flow assumes a Clamd server is running and can be accessed\neither locally (unix socket) or remotely (tcp socket). \n\nOnce scanned, infected files can be put in a dedicated Quarantine folder. If scan fails for other reasons, files are tagged to alert that\nthey could not be scanned properly.\n"
  },
  "Custom": true,
  "EventNames": [
    "NODE_CHANGE:0",
    "NODE_CHANGE:3"
  ],
  "Actions": [
    {
      "ID": "actions.clamd.scan",
      "Label": "Send to Clamd",
      "Parameters": {
        "address": "{{.JobParameters.ServerProtocol}}://{{.JobParameters.ServerAddress}}"
      },
      "ChainedActions": [
        {
          "ID": "actions.scheduler.log-input",
          "Label": "Scan Passed",
          "ActionOutputFilter": {
            "Query": {
              "SubQueries": [
                {
                  "type_url": "type.googleapis.com/jobs.ActionOutputSingleQuery",
                  "value": "CAE="
                }
              ]
            },
            "Label": "Scan passed",
            "Description": "Check if last output string body contains a given text"
          },
          "Parameters": {
            "fieldname": "{\"@value\":\"StringBodyRegexp\"}",
            "message": "Successfully scanned \"{{base .Node.Path}}\"",
            "protocol": "{\"@value\":\"tcp\"}",
            "taskLogger": "true"
          },
          "ChainedActions": [
            {
              "ID": "actions.put-meta",
              "Label": "Tag as infected",
              "ActionOutputFilter": {
                "Query": {
                  "SubQueries": [
                    {
                      "type_url": "type.googleapis.com/jobs.ActionOutputSingleQuery",
                      "value": "EgVGT1VORA=="
                    }
                  ]
                },
                "Label": "Output contains \"FOUND\"",
                "Description": "Check if last output string body contains a given text"
              },
              "Parameters": {
                "json": "{\"usermeta-tags\":\"{{.JobParameters.TagInfected}}\"}"
              },
              "ChainedActions": [
                {
                  "ID": "actions.tree.copymove",
                  "Label": "Move to Quarantine",
                  "Parameters": {
                    "create": "true",
                    "fieldname": "{\"@value\":\"StringBodyRegexp\"}",
                    "protocol": "{\"@value\":\"tcp\"}",
                    "recursive": "false",
                    "target": "{{.JobParameters.QuarantineFolder}}",
                    "targetParent": "true",
                    "type": "move"
                  }
                },
                {
                  "ID": "actions.cmd.sendmail",
                  "Label": "Alert Owner",
                  "Bypass": true,
                  "Parameters": {
                    "fieldname": "{\"@value\":\"StringBodyRegexp\"}",
                    "message": "Virus was found on **{{.Node.Path}}**, uploaded by **{{.ContextUser.Login}}**",
                    "sender": "{\"@value\":\"smtp\"}",
                    "subject": "Virus Found",
                    "to-user": "{{.ContextUser.Login}},admin"
                  }
                }
              ]
            }
          ],
          "FailedFilterActions": [
            {
              "ID": "actions.put-meta",
              "Label": "Tag File",
              "Parameters": {
                "json": "{\"usermeta-tags\":\"{{.JobParameters.TagFailed}}\"}"
              }
            }
          ]
        }
      ]
    }
  ],
  "MaxConcurrency": 10,
  "NodeEventFilter": {
    "Query": {
      "SubQueries": [
        {
          "type_url": "type.googleapis.com/service.Query",
          "value": "CiwKHnR5cGUuZ29vZ2xlYXBpcy5jb20vdHJlZS5RdWVyeRIKOgYucHlkaW9wARAB"
        },
        {
          "type_url": "type.googleapis.com/service.Query",
          "value": "CiQKHnR5cGUuZ29vZ2xlYXBpcy5jb20vdHJlZS5RdWVyeRICMAEKJwoedHlwZS5nb29nbGVhcGlzLmNvbS90cmVlLlF1ZXJ5EgUYwKjlBBAB"
        }
      ],
      "Operation": 1
    },
    "Label": "Files \u003c 10MB"
  },
  "Parameters": [
    {
      "Name": "ServerProtocol",
      "Description": "Select protocol used to access server.",
      "Value": "tcp",
      "Mandatory": true,
      "Type": "select",
      "JsonChoices": "{\"tcp\":\"tcp\",\"unix\":\"unix\"}"
    },
    {
      "Name": "ServerAddress",
      "Description": "Select server address. Use IP:PORT for tcp or file path for unix protocol.",
      "Value": "IP:PORT",
      "Mandatory": true,
      "Type": "text"
    },
    {
      "Name": "QuarantineFolder",
      "Description": "Folder where to move files when a virus is detected.",
      "Value": "pydiods1/QUARANTINE",
      "Mandatory": true,
      "Type": "text"
    },
    {
      "Name": "TagInfected",
      "Description": "Tag file with this value when a virus is detected.",
      "Value": "infected",
      "Mandatory": true,
      "Type": "text"
    },
    {
      "Name": "TagFailed",
      "Description": "Tag file when virus detection failed (result is unknown).",
      "Value": "scan-failed",
      "Type": "text"
    }
  ]
}