Steamed clams? Yes, you read that right. With some curly fries on the side, please?

There are hundreds of thousands of articles on security and safety. And a lot of them stress how important it is to never ever trust users. Not even your CMS users. 

To help keep your server secure (and protect your users at the same time), it’s a good idea to scan for viruses on uploaded files. This is when Steamed Clams comes in handy – this module scans for viruses in files you upload, or files already uploaded.

Installation

The tricky part of the module doesn't come from the module itself, but from having to make sure ClamAV is installed and available to your website user. Luckily, the ClamAV documentation and the documentation of the module are fairly easy to follow.

Once set up, you need to configure Steamed Clams to use the correct socket. It doesn’t really matter where the socket is, as you can configure it in your YML file.

In my case, on CentOS, this turned out to be:

SilbinaryWolf\SteamedClams\ClamAV:
 clamd:
    LocalSocket: '/var/run/clamd.scan/clamd.sock'

Which is slightly different from what's in the module's readme.

Usage

Once set up, the module is a breeze. Your files are scanned on upload and will be blocked when a virus is detected.

Also, files that are uploaded via a has_one or has_many relation are neatly scanned and blocked if they contain a virus.

So much for a nice bit of ham on your sandwich

Furthermore, you can scan files that have already been uploaded via the ClamAV ModelAdmin. If files are in need of scanning, you can see that in the grid view.

Files that were infected are indeed not on the server, so they’re also not downloadable by anyone. Neat!

When you happen to install this module on an existing website, it is, of course, a problem to scan all the files at once. This might take down your server due to load, or at the very best, slow it down.

To counter that problem, the module comes with a scheduled task (requiring the QueuedJobs module) that allows you to scan at a less stressing time for your site, e.g. at 3AM.

You can, of course, also run this task manually:

https://domain.com/dev/tasks/SilbinaryWolf-SteamedClams-ClamAVInstallTask

Test the results

To see what happens when you upload a virus, or when the service is temporarily available, the module comes with a mock scanner class to let you force a certain situation.

Versioned files and files uploaded to a CDN all work out of the box. All in all, I am pretty impressed by both the speed of this module in scanning and the added security it gives to your assets. I gave it a run for its money by having it scan over 1000 files varying from 50KB to 20MB, some of which contained the EICAR test so they were marked as malicious. It took a total of about 3 minutes to scan those.

I’m sorry, but none of the files above the fold were “infected”.

It is already namespaced and seems to work with SilverStripe 4 after a bit of adjusting, so that’s awesome.

If you need a little more security on the files uploaded to your website, especially if they are user content, give this module a spin. It’ll help you keeping your servers safe.