Merge pull request #495 from target/ScanClamAV

ScanClamAV

Author: skalupa

build/python/backend/Dockerfile

@@ -139,6 +139,20 @@ RUN mkdir jtr && cd jtr && git init && git remote add origin https://github.com/
     chmod -R 777 /jtr && \
     chown -R $USER_UID:$USER_UID /jtr
 
+# Install ClamAV
+RUN apt-get update -qq && \
+    apt-get install -qq -y --no-install-recommends \
+    clamav \
+    clamav-base \
+    clamav-daemon \
+    clamav-freshclam 
+
+# Update permissions for relevant fresclam log files
+RUN touch /var/log/clamav/freshclam.log
+RUN chmod 777 /var/log/clamav/freshclam.log
+RUN chown clamav /var/log/clamav/freshclam.log
+RUN chown 1001:1001 /var/lib/clamav
+
 # Install Poetry globally and copy project files
 RUN python3 -m pip install -U pip setuptools && \
     python3 -m pip install poetry && \

configs/python/backend/backend.yaml

@@ -69,6 +69,11 @@ scanners:
           - 'application/x-bzip2'
           - 'bzip2_file'
       priority: 5
+  'ScanClamav':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
 #  'ScanCcn':
 #    - positive:
 #        flavors:

src/python/strelka/scanners/scan_clamav.py

@@ -0,0 +1,96 @@
+import shutil
+import subprocess
+import tempfile
+
+from strelka import strelka
+
+
+class ScanClamav(strelka.Scanner):
+    """
+    This scanner runs against a given file and returns a ClamAV scan that has a determination if the file is infected
+    or not based on the ClamAV signature database.
+
+    Scanner Type: Collection
+
+    Attributes:
+        None
+
+    ## Detection Use Cases
+    !!! info "Detection Use Cases"
+        - **Scan Determination**
+            - This scanner provides a inital determination on a file if it is infected or not based on the
+              the ClamAV signature database.
+
+    ## Known Limitations
+    !!! warning "Known Limitations"
+        - **ClamAV Signature Database**
+            - This scanner relies on the ClamAV signature database which is not necesarily all-encompassing. Though
+              the scanner may return a determination, users should be advise that this is not exaustive.
+
+    ## To Do
+    !!! question "To Do"
+        - The ClamAV signature database is currently pulled every scan as a POC. This could be converted to a
+          signature pull on a cadence, such as every 24 hours.
+
+    ## References
+    !!! quote "References"
+    - [ClamAV Documentation Source](https://docs.clamav.net/Introduction.html)
+    - [BlogPost on ClamAV Scanner](https://simovits.com/strelka-let-us-build-a-scanner/)
+
+    ## Contributors
+    !!! example "Contributors"
+        - [Sara Kalupa](https://github.com/skalupa)
+
+    """
+
+    def scan(self, data, file, options, expire_at):
+        try:
+            # Check if ClamAV package is installed
+            if not shutil.which("clamscan"):
+                self.flags.append("clamav_not_installed_error")
+                return
+        except Exception as e:
+            self.flags.append(str(e))
+            return
+
+        try:
+            with tempfile.NamedTemporaryFile(dir="/tmp/", mode="wb") as tmp_data:
+                tmp_data.write(data)
+                tmp_data.flush()
+                tmp_data.seek(0)
+
+                # Run freshclam to gret the newest database signatures
+                stdout, stderr = subprocess.Popen(
+                    ["freshclam"],
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                ).communicate(timeout=self.scanner_timeout)
+
+                temp_log = tempfile.NamedTemporaryFile(dir="/tmp/", mode="wb")
+                loglocation = "--log=" + temp_log.name
+
+                # Run the actual ClamAV scan and report to local temp log file
+                process = subprocess.Popen(
+                    ["clamscan", "--disable-cache", loglocation, tmp_data.name],
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                )
+                stdout, stderr = process.communicate()
+
+                with open(temp_log.name, "r") as file:
+                    for line in file:
+                        if ":" in line:
+                            # Attempt to split out scan information
+                            splitline = line.split(":")
+                            self.event[splitline[0]] = splitline[1].strip()
+                        else:
+                            continue
+
+        except strelka.ScannerTimeout:
+            raise
+        except Exception:
+            self.flags.append("clamAV_Scan_process_error")
+            raise
+        finally:
+            # Ensure that tempfile gets closed out if there are any issues
+            tmp_data.close()

src/python/strelka/tests/test_scan_clamav.py

@@ -0,0 +1,35 @@
+from pathlib import Path
+from unittest import TestCase, mock
+
+from strelka.scanners.scan_clamav import ScanClamav as ScanUnderTest
+from strelka.tests import run_test_scan
+
+
+def test_scan_clamav(mocker):
+    """
+    Pass: Sample event matches output of scanner.
+    Failure: Unable to load file or sample event fails to match.
+    """
+    test_scan_event = {
+        "Data read": "0.51 MB (ratio 1.06",
+        "Data scanned": "0.54 MB",
+        "End Date": mock.ANY,
+        "Engine version": "0.103.12",
+        "Infected files": "0",
+        "Known viruses": "8706344",
+        "Scanned directories": "0",
+        "Scanned files": "1",
+        "Start Date": mock.ANY,
+        "Time": mock.ANY,
+        "elapsed": mock.ANY,
+        "flags": [],
+    }
+
+    scanner_event = run_test_scan(
+        mocker=mocker,
+        scan_class=ScanUnderTest,
+        fixture_path=Path(__file__).parent / "fixtures/test.png",
+    )
+
+    TestCase.maxDiff = None
+    TestCase().assertDictEqual(test_scan_event, scanner_event)