MGS integration with antivirus

02. June 2022

One of the MGS features is to manage model-related files and documents. Of course, common and other model non-related files can be uploaded also to the public folder, users' private folder, or shared folders. Companies usually have strict security policies so sooner or later, the question about antivirus integration will pop up. And it did. An initial security audit of our customer raised the topic of antivirus scanning. So how do we solve it?

Implementation on the infrastructure level

There is more than one solution and it also depends on how files are stored. MGS supports the AWS S3 cloud storage so in this case, it makes sense to implement the solution directly in the AWS ecosystem. If files are supposed to be stored locally on the customer's server, the Minio container is responsible for managing files. And since files are simply stored in some folder outside of Docker/Podman container, server admins can set up a process that scans all new files using an antivirus scanner that the company already uses on other servers.

Both these cases shift the responsibility to the infrastructure/server admins, but we wanted to be prepared for anything. To be more precise, be prepared for the case when it will be on us to integrate the antivirus to the MGS. Since MGS is very flexible and programmable using the Business rules, we prepared a fully functional proof of concept, that brings several interesting integration ideas.

Direct integration with MGS

The core of the solution is open source antivirus ClamAV in the Docker container. This container connects a volume with Minio data and starts clamd daemon together with virus database update service freshclam. A custom Business rule is created, that is hooked to OnFileUpload event, so it’s executed every time the new file is uploaded. The rule communicates with the ClamAV and starts the file scanning process.

The MGS has a file validation feature, that shows validation status as an icon in the file view. If any arbitrary validation fails, the icon is red. If it passes, it’s green. In this case, we can visually indicate if the file is clean or if it contains malicious code. Even better, we can immediately remove the file and send an internal notification to the user to inform him about the removal (and perhaps notify the MGS administrator). In fact, we can react exactly as our customer wants and the antivirus can be replaced with a different solution too (the file can be even uploaded to some cloud scanning service like VirusTotal).

We don’t offer premade antivirus component simply because there are too many options - which service to use and how the MGS should react to the threat. This way, a highly customized antivirus integration can be provided to the customer. As our proof of concept proved, MGS can work seamlessly with ClamAV and any other AV service should be integratable thanks to the Business rules and the powerful event system of MGS.

Author: Luděk Novotný