3

I have created an online web app for my company. It's being tested for security files. The tester loaded the EICAR text file. The virus scanner on the server caught and removed the file.

I have only allowed text, gif, jpg and pdf files for upload. How likely can a text file, image file have a virus? I know things changed a lot lately. We are on Windows 7. My question is, is there even a need to run a virus scanner for such file types? Thanks.

user3586195
  • 147
  • 1
  • 6
  • It's absolutely necessary. Even if you're not connected to the internet if an internal malicious actor decided to try and steal company data this could be a vector for attack. – RoraΖ Jan 09 '15 at 18:17
  • Is there a way you can hide a virus in an image(gif,jpg,bmp, tiff) or text file? A pdf is a different animal since it's more vulnerable to attacks due to complexity. – user3586195 Jan 09 '15 at 18:19

4 Answers4

4

Long, long time ago there have been a rumor that there is a virus able to infect gifs. All the wise people laughed at the idea of data executing code. But then, buffer overrun attacks have been discovered, and a bug in Internet Explorer that allowed buffer overrun in gifs, essentially executing malicious code.

The moral of this story is a double-ended one. First: there is always a possibility that data could be used as "viruslike" attack vector. Second: There was absolutely no possibility any virus-scanner could have detected it before attack was discovered.

I can only recommend scanning data files if there is a known attack which could compromise users during regular usage (and your AV detects it). Scaning every .txt for being renamed .exe seems bit overkill. More importantly, you should be ready to re-scan old, EXISTING files, in case a new attack is discovered. Scanning existing files is easy, the problem is what to do next - witholding access to the file, notifying it's owner, etc - it's a lot of work to design and implement such error-handling.

As raz said, pdfs are different beasts: they are already known to contain code and have to be scanned both on upload, and in storage in regular intervals.

Agent_L
  • 1,931
  • 14
  • 13
0

Not to be the nay say, as Agen_l pointed out if it is an attack vector has some serious if attached to it.

Exempli Gratia, there was once a bug in Clam AV that allowed malicious code execution by simply scanning an infected file... So the scanning process itself could be the attack vector.

Likewise a multitude of automated process may access the file depending on the environment, can you be certain it is simply static data and it will never be accessed by anything?

This is not to say you have to get paranoid about it, but you absolutely cannot rule out any file type as being potentially malicious if it is accessed by anything that could potentially be vulnerable and will be loading its data into memory.

Clam was not the only victim, just an example, there are many more (most likely more to be discovered or worse yet released) and those are just the AV products... See this paper on attacking antivirus for some reference.

http://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf

Sabre
  • 289
  • 1
  • 2
  • 7
0

Can a pdf file contain a virus? Certainly. It's relatively common to find pdf files with malicious intent (although those still rely on a reader vulnerability).

Gif and jpeg files? There's sometimes a vulnerability on a parser of those formats (I remember a problem years ago with a jpeg subformat), but they are generally safe.

(Sidenote: I would also add png to the list of allowed formats.)

If you are performing an AV scan and it doesn't cause issues, I would keep it.

Now, what I strongly recommend you is to check that they are indeed what they claim to be. And that it is not possible to confuse the browser in eg. serving as html what your application thought to be a txt of gif, which would have drastic consequences. There are even hybrid formats such as Gifar (a Jar disguised as Gif) that could be user as attack vector. Then it is very important to be careful with the content-type, otherwise some browser may go into guessing mode.

Ángel
  • 18,188
  • 3
  • 26
  • 63
0
  1. First of all never trust user input, always sanitize the code present in the image(jpg, gif (metadata), txt, pdf, docs, xml etc. because they can contain php, asp shellcodes , XSS payloads (code which may help attacker to gain access).

  2. I don't know how effective the antivirus is in detecting these types of attacks because there are many ways to bypass it.

  3. Server misconfiguration and web vulnerabilities can lead gif/jpg or even text files or any type of files to execute on the server or at least may provide an attacker with an attack surface.

So scanning files with antivirus may definitely help which is recommended but you should remember that is not a foolproof solution!