File Upload / Virus Risk

[Andrew Robinson]

I am working on an application and the customer would like the ability for
users to attach / upload a Word document. This document will be stored on
the web server directly into SQL and later be viewed by the customer after
being replicated across a SQL Server.

I am not too worried about virus risks on the web server since the upload
will be saved directly to SQL but what are my risks on the desktop machines
that are used to later view the document? They do have up to date AV
software but am wounding if there are any best practies that can allow this
kind of thing to be done in a safe(r) way? Uploads will be limited to Word
(.doc) files.

 

[Steven Cheng[MSFT]]

Hello Andrew,

Thank you for posting in the ASP.NET newsgroup.

From your description, I understand you're developing an ASP.NET web
application which will let the user upload and download(and view) some word
documents. Currently you're wondering how to properly perform anti-virus
protection on those word documents downloaded by the client users, correct?

Based on my experience, as for ASP.NET web application, it is web page
based, so after the server-side application flush the word document( or
other binary content) out, the control is completely passed to the client
machine(web browser) and our server-side code can not do any thing further
upon the outputed document. Therefore, to provide anti-virus protection,
the most reasonable and doable means is use anti-virus component to perform
virus scan upon the word document(checking macro virus attack) before flush
it to client response stream. You can find that most web mail system such
as Hotmail, Yahoo... is using virus scan component to verify email
attachments' security before let the client user download them. As far as
I know, those famous anti-virus software vendor like Macfee, Trend ...
provide such components

Please feel free to post here if you have any other concerns or questions
on this.

Thanks & Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hello Andrew,

Have you got any further ideas on this issue or does the suggestion in my
last reply helps you some? If there is any further things we can help,
please feel free to post here.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[punahou1980]

antivirus api

Hi Andrew,
you may want to check out Metascan -- an API that supports integration of many antivirus applications from many vendors. Product supports file, folder and stream scanning by one or multiple AVs in parallel.

Product page http://www.opswat.com/metascan.shtml

Metascan includes sample code projects in ASP.NET, C++, Java, etc. Support for ICAP slated in Q2 2008.

There is a live demo of Metascan powering 6 AVs in a web-based (PHP?) file-upload use case--www.filterbit.com