In-memory scanning of files, ideally using ClamAV
We are implementing an enterprise application with a heavy focus on security, which includes the uploading of files. These files need to be virus scanned, but also need to be encrypted.
The current process is that the files are uploaded and then streamed - through an encrypter - to a temporary storage area on disk. The virus-scanner is then called and the files are decrypted on the fly, streamed through to ClamAV via a socket - and then the virus-status returned from the socket.
The problem is that ClamAV seems to write to a temporary area on disk before scanning, which means unencrypted, potentially-sensitive data on the file-system.
Does anyone know how to fix this? Possibly by configuring ClamAV to scan in-memory only (my Google search yielded no results), or maybe some alternative suggestions?
Answer
I'm assuming here that you are using clamd since you are talking to it via a socket not clamscan the cli tool.
In that case you can configure it via the TemporaryDirectory directive in your clamd.conf to point to an encrypted filesystem for temp storage using something like dm-crypt (https://help.ubuntu.com/community/EncryptedFilesystemHowto) - I hope this helps.
Reference from man 5 clamd.conf:
TemporaryDirectory STRING
Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp).