LiquidFiles Documentation

The following article outlines how the Antivirus scanning works in the LiquidFiles appliance and what options are available.

The LiquidFiles appliance uses ClamAV as it's antivirus scanning engine. The AV signatures are configured to be automatically updated every two hours. To enable other virus scanning engines, please follow the guidelines as outlined in the Custom File Scanning Documentation. Also, please make sure that you have enabled outgoing http as outlined in the Network, Firewall and DNS guideline to ensure that AV signatures can be downloaded.

Antivirus scanning is one of the most CPU intensive operations in the LiquidFiles appliance and one that sometimes caused some problems. Installations previous to 1.7.4 used a very direct methodology of scanning files as they where uploaded. This lead to problems on quite a few occations where processing of the virus scanning took longer than the browser timeout and the message would fail with a nasty error.

Starting with 1.7.4 an onwards, the Antivirus scanning now happens after a file has been uploaded and stored. The primary reason for this is performance. Since AV scanning normally takes a couple of seconds, but can take up to a couple of minutes on a loaded system, this is typically way less than the time for the recipient to receive the message and them attempting to download it. This means that for the overwhelmingly majority of cases, antivirus scanning will therefore not take any noticeable time.

In order to further speed up the processing of files, the system now checks (via a SHA1 checksum) if the file has been scanned previously and it won't be scanned again (the cache expires after 28 days). There's also a setting to skip scanning of local users files. If you trust that you already have a solid antivirus strategy in place within your own organisation, you can turn off antivirus scanning for local users. This is not the default setting.

When a file has been marked to be scanned, it will be placed in a queue. There are two workers running and will scan files in parallell as long as there are files to scan. Previously, many parallell scannings could happen if many people where sending at the same time. This current implementation should lead to more consistent general performance as the number of parallell scans are now fixed.

This change also leads to a couple of obvious questions:

What happens when a virus is detected?

When a virus is detected, the file will be deleted off the system and marked as deleted.

What happens when someone tries to download a file and it's not yet been scanned?

The default is to not let anyone download a file that hasn't been scanned. But this is a configurable setting. You can allow users to download files that hasn't yet been scanned. The files will still be scanned and deleted if found to contain a virus. It won't save anyone already downloaded the file but won't permit the file to be downloaded any further. Enable this only if you consider antivirus scanning to be a "nice to have" rather than a must.