I have a web application that will allow users to upload files to a web server that will then save them to a database. One of the security guys stated that all I will need to do is attempt to save the file to the web server which will kick off a virus scan. I can then delete the file and save it to the database. But, I have concerns about this:
- If I save a file temporally to the web server, will the file fail to save if a virus is found?
- If it fails, what type of exception should I expect?
- Is it a better idea to run the virus scanner from the command line?
- Is this safe? Reading this post: File upload security Concern I am concerned about this line: "Ensure that the directory you will save to is not readable by the web server, this way they don't upload a malware script and then execute it from their browser via an HTTP"
Some antivirus vendors have server-based tools which will allow you to programatically submit a file to be scanned. For example, we have used the Symantec Scan Engine via the ICAP interface (see http://www.symantec.com/business/support/index?page=content&id=TECH83878).
Other antivirus vendors have other tools which provide the same or similar functionality.