Security Extension - File Scanning via Threat Intelligence Security Engines.

KARAM_SIDHU

I was imagining through the flow of security aspects in my mind and this is when i thought the need of an Extension that supports File Scanning via security engines with realtime threat intelligence and its implementation should be primarily [maybe completely] at the Front-End/Client-Side.

Files Uploaded by Users at the Front-End/Client-Side via File Uploading Extensions are directly stored in the Server over the designated folder. Which means, If there is a file that is infected in any form, It would directly hit the server and supposedly [Important] to have a proper server-site/layer security, but then somehow, the file has been uploaded and then it was found as malicious, Yes there is certain security solutions which scan the upload(s) before it is even allowed to be stored but then still the reliance would be purely on the server-site/layer security [Refer Diagram below].
Upload >> Server Security
*Relying on Single Security Facility/Source, Directly hits the Server Security where it is solely being dependent to scan and then either isolate or totally remove.

Now, With the presence of a Dedicated Extension for Security Engines, It would add a layer in between where whenever a User attempts to upload any type of file via the File Uploading extensions, The file would then be scanned and if found malicious or suspected as malicious it would then be blocked from being uploaded [Refer Diagram below].
Upload>>Security Engine Scan>>Server Security
*Dual Security Facility/Source = Better, Requires pass-through of the security engine and the again checked by the Server Security.

This Extension should be dedicated for the use via Security Engines via API and other keys only. It could probably be named as "Upload Guard"/"Upload Shield"/ etc.

If there is any Extension Developer that woud like to contribute towards this idea, You may begin the development with:

Option 1 : Light Scan [via Hashes only].
This method involves in calculating the unique identifier [hash] from the uploaded file content such as the MD5, SHA-1, or SHA-256, rather than Direct file upload. It is quite limited in its detection as it analyses via Unique Identifier's rather than analysing the entire file but then for the Initial launch upon development this should be fine. However, this method has some advantages as well in terms of efficiency in scanning large files, requires lesser resources and could serve the result quicker and it is available for free [If i am not mistaken] via Virus Total Public API.

Could be further Extended with:

Option 2 : Detailed Scan [Full Scan].
This method involves comprehensive scanning where the files are scanned completely via the Security Engines but then it is less convinient to be implemented at the initial development and launching stage of the extension as this method requires more conditional logics to be implemented in handling such files that are found to be malicious consists of the evaluation for highly malicious and minorly marked as malicious files. In addition to that, This method requires a Premium Paid Version of Service within most of the Security Engines. Therefore, It is not suitable for now. However, This method is shared to provide a clear picture to any developer that would like to work on this development that where would be another option which would be this.

Major Aspects to be Considered:

1] Implementation of Validation Checks ~ The Need of a Mechanism [To Code] to Fetch the hash to VirusTotal via API.

2] Prevent Storage Options ~ The need of a Mechanism [To Code] to store the files in a temporary/empty [Non-Critical] folder followed by Conditional Check [If Clean = Store/If Malicious = Remove] to Prevent the file from being stored in the Critical Folders that are closely related to our Flarum Site operations.

3] Display Failure and Flag the Post ~ In the event of Maliciousness detected, The user would be notified that its Uploaded File has failed due to suspected as malicious, whereas, the Administrator would be able to see the post specifically [As it is flagged] together with short statistics such as how many security services detect it as malicious out of how many that had scanned [VirusTotal has quite a number of security service providers integrated to it].

Thread to be Continued [In a Reply] over this.

Kindly share your thoughts if this is a relevant and workable solution.

clarkwinkelmann

Do you have any example of such plugins for other forum engines or CMS software? Are there other external APIs apart from VirusTotal that could be used?

You have to decide what your threat model is. Scanning files client-side only makes sense if you expect your trustworthy users to accidentally re-upload files they didn't know were already infected. If you worry about bad actors intentionally uploading malicious files you will need a server-side solution.

Most forums I know either don't allow upload or only allow images. The number of forums that need this extension would probably be very few.

Forums might also better benefit from a system that scans all files at the server filesystem level for vulnerabilities rather than only forum uploads, for those it wouldn't make sense to develop a solution that only integrates with the forum and not the entire operating system. Even a general purpose antivirus could be configured to only scan the folder that receives file uploads from the forum.

This could be a nice paid extension for forums that allow unrestricted file uploads of all sorts and need the extra security.

KARAM_SIDHU

clarkwinkelmann there are a few others as well but then those either requires certain installation at the server level as well which is less preferred as server level requires a highly capable antivirus and they're not up to that yet [at this moment] and using them as an add-on is not preferred as well. Whereas, The others that i know has very few security solutions integrated with their engine which is indirectly less intensive over known threats and some of it as well comes with high limitations on the number of scans available at their free tier and causes a number of false positives as well on the paid tier. Therefore, I recommended Virus Total as the number of security services integrated to it is quite alot which equivalent to huge and consistently updated library of threats which contributes to better detection, quite flexible in the setup and less false-positives as well.

Thanks, I just got the idea to conduct a check around if there is other forums specifically has the same solution and upon a simple peer-to-peer compare , I found that there are a few other similar forums that has pretty much same extension/plugin that works quite similar as well such as:
Xenforo-xen antivirus and phpBB VirusTotal Extension. However the workaround method is less similar as this solutions was developed quite sometime ago and not sure if it is still maintained.

You're right. Mostly only allow images to be uploaded as that is the only need and requirement at most and this indirectly reduces the risk/surface of attack as image files are non-executable files, but then, somehow images could also be used for malware spreading over techniques like steganography etc which could happen over the image upload by a user and the user might not have an intention nor knowing the existence of it but backed by bad actors to spread maliciousness wherever possible.

This solution is to complement the existing security infrastructure of a flarum based site which genuinely means, It shouldn't be used to replace a reputable, well known and proven security solutions at the server level that should consists of a Firewall and Antivirus.

Awaiting for more response towards this thread ..
Let's brainstorm and learn together ...