https://man.liquidfiles.com
LiquidFiles Documentation

LiquidFIles has the ability to run custom external filescanner. This enables running AV solutions in addition to the builtin ClamAV scanner, or integration with DLP solutions or similar.

Installation of custom AV engines and similar is not covered by this guide. As long as you use standard CentOS yum packages, you should be fine.

Custom filescanning is performed by creating a script, /usr/local/bin/filescan (needs to be executable - chmod 644 /usr/local/bin/filescan), that will be executed like:

env EMAIL= GROUP= /usr/local/bin/filescan /path/to/uploaded/file

The script uses exit codes to determine if the file was clean/permitted or not.

  • An exit code of 0 means that the attachment will be permitted.
  • An exit code of 1 or above means that the file will be deleted and marked as virus infected.

Any output from the script will be fed back to the user as the reason to why the file was not permitted. The output will be silently ignored if the file was permitted.

By using either the EMAIL of GROUP environment variable, you can create a different policy for different users.

Please note that you can use any programming language that you're comfortable with, that can be executed on the LiquidFiles system. Typically this would mean: perl, ruby, python, bash, sh or c.

A very basic example of a filescan script would like like this:

#!/usr/bin/env ruby
#
# Install as /usr/local/bin/filescan and
# chmod 755 /usr/local/bin/filescan to make it executable
#
if ARGV[0] =~ /\.png$/i
  puts "PNG's are not allowed"
  exit 1
end

This script will simply check if the filename ends in .png or not.

A more complex example like the following assumes that you have an AV scanner installed. In this example it is assumed that Sophos AV is already installed:

#!/bin/bash
#
# install as /usr/local/bin/filescan and
# chmod 755 /usr/local/bin/filescan to make it executable
#
# Sophos - comercial AV scanner for Unix systems
#
# sweep - sophos scanner tool
#
# Parameters:
#   -q         Quick scan
#   -ss        Don't display anything except on error or virus
#   -archive   Scan compressed files (zip, gzip, arj, cmz, tar, rar, cab)
#
# Exit code:
#     0        No virus has been found
#     3        Virus has been found

file_path="$1"

if [[ -f "$file_path" ]]; then
    result=$(/usr/local/bin/sweep -q -ss -archive  $file_path)
    exit_code=$(echo $?)

     if [[ $exit_code > 0 ]]; then
         echo "Sophos AV result: $result"
     fi
 
exit $exit_code

fi

These examples should serve as a starting point when creating your own scripts.