Virus scan attachments

Question

During sessions through F5 LTM ASM, clients sometimes upload files to our internal DMZ filesystems, we would like to Virus scan any unexpected and expected mime-types attachments before it reaches the trusted area.   
&nbsp;    
&nbsp;  Virus-scan all attachments, preferably at the dirty side where LTM ASM is located.  
&nbsp;    
&nbsp;  I am not sure it would be possible to iRule this requirement, since file-handle is disabled in iRule, any idea on how LTM ASM be tricked into sending any request with an embedded file attachment to an Anti-Virus server possibly ClaimXav located in the same VLAN, once scanned, then LTM ASM collects the scanned files and continues her defined journey.  
&nbsp;    
&nbsp;    
&nbsp;  Can you safely say that the ASM will do the job of detecting infected web attachments?  
&nbsp;

hooleylist · Answer

Hi jquadri,  
&nbsp;    
&nbsp;  ASM does not support scanning HTTP file uploads.  In fact, as file uploads can typically be binary content, you're pretty much limited to validating the size of the upload.  You can restrict what file extension is used by configuring a parameter for filename on the request with a regex to describe the parameter value.  Something like this would perform a case insensitive check for .txt, .doc, .rtf and .pdf files: (?i)^[-a-z0-9._+ /\&amp;]+\.(?:txt|doc|rtf|pdf)$  
&nbsp;    
&nbsp;  You could try to collect the HTTP payload for POST requests to pages which accept file uploads and use HTTP::retry to send the request to a scanning server and then to the pool, but you're limited to 4Mb of payload collection per TCP connection (Click here).  And it would probably add significant overhead.  
&nbsp;    
&nbsp;  You might be better off trying to perform the validation on the web or app server for now.  F5 uses ClamAV for Firepass.  Maybe you could open a case with F5 Support asking them to provide file upload validation locally.  
&nbsp;    
&nbsp;  Aaron

Forum Discussion

Virus scan attachments

1 Reply

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Advanced iRules: Scan

Advanced iRules: Binary Scan