Skip to content

Wire-up Basic ClamAV for Mage (1752)#385

Open
S-S-T wants to merge 8 commits intodevelopfrom
attach-scan-pix-1752
Open

Wire-up Basic ClamAV for Mage (1752)#385
S-S-T wants to merge 8 commits intodevelopfrom
attach-scan-pix-1752

Conversation

@S-S-T
Copy link
Contributor

@S-S-T S-S-T commented Feb 11, 2026

PR Summary – Pre-Disk Attachment Scan

Overview

This PR implements pre-disk virus scanning for attachments using ClamAV. Attachments are validated by type (image, video, audio) and scanned before saving to the database. EICAR test files were used to verify that malicious files are correctly blocked, and valid attachments are successfully saved. Of Note: this gitlab ticket (1752) is one of 6 sequential tickets for this track of work. For this ticket, the implementation and wiring up of the Pix/ClamAv server was done and some real-world attachment processing and testing. There are no 'bells, balloons or whistles' included in this branch, this is merely a p.o.c. that the PIX clamav server exists; that we at Mage can access it and 'forward' our attachment data to it for scanning and pass/fail, and that the back-end logs reflect that success or failure (there is no front-end update: no status messages, no error messages, no success messages, no timeouts, no warnings and no multi-file attachment saves, just one-per-time) As next stories (1753, 4, 5, etc) are completed, other requirements will be addressed.

Allowed MAGE System File Types

  • Images – e.g., .png, .jpg, .jpeg, .gif
  • Video – e.g., .mp4, .mov, .avi (depending on config)
  • Audio – e.g., .mp3, .wav, .ogg

Changes

  • Integrated ClamAV streaming scan for attachments before any disk write.
  • Updated observation attachment handling to reject files flagged by ClamAV.
  • Added attachment type validation (images, video, audio) for form att_clam_test.
  • Detailed debug logs to trace attachment processing lifecycle.

Testing Instructions

  1. Ensure you are logged into AWS
    aws sso login --profile magegov

  2. Start ClamAV port forwarding
    kubectl port-forward svc/clamav 3310:3310 -n clamav

  3. Launch the app server locally

  4. Test good file

    • Use a valid attachment
    • Upload through the observation form and verify it saves successfully

  5. Test malicious file

    • Create an EICAR test file (eicar.png) with the standard EICAR string
    • Attempt to upload through the same form
    • Verify that ClamAV detects the file and blocks the save

  6. Check logs

    • Confirm both paths: allocation of observation ID, attachment scan, and final result

Expected Results

  • Good files save successfully with proper attachment metadata.
  • EICAR or infected files are blocked, and error messages indicate virus detection.

jmckomni
jmckomni requested changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@jmckomni jmckomni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't merge until file types are not restricted

@S-S-T S-S-T force-pushed the attach-scan-pix-1752 branch from 7b41084 to 86a27dc Compare February 19, 2026 11:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmckomni jmckomni jmckomni requested changes

@RyCarpenter RyCarpenter Awaiting requested review from RyCarpenter

@paulsolt-ofsw paulsolt-ofsw Awaiting requested review from paulsolt-ofsw

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@S-S-T @jmckomni