1 Reply Latest reply on Feb 18, 2014 1:17 PM by btlyric

    Anti-Malware scanning issues

    bornheim

      Hi,

       

      I got several issues and question around anti-malware scanning.

       

      1.) if I run into a progress page there is a Cancel button. Clicking this button triggers a new page "The download of the requested file was canceled" but does not stop the download going on in the background as you can see in /opt/mwg/temp: the downloaded file continues to grow until it reaches its final size.

       

      2.) After the file is downloaded at MWG the progress page changes to "Scanning in progress". Clicking the Cancel button does not stop scanning the file as you can see by monitoring top: the mwg-antimalware process still gets loads of CPU cycles.

       

      3.) Scanning 50 MB jar files seems to take forever. A system with 4 Intel Core2 Duo CPU E7400 (2.8 GHz) does not get the job done within an hour. Any decent desktop scanner (including one by McAfee :-) does it in under a minute. Try downloading some of these examples:

           https://github.com/Graylog2/graylog2-server/releases/tag/0.20.0-rc.3

           https://github.com/Graylog2/graylog2-web-interface/releases/tag/0.20.0-rc.3

           https://github.com/Graylog2/graylog2-server/releases/tag/0.20.0-rc.1-1

       

      4.) Under Global Anti-Malware Settings there is a setting "Number of seconds a scanning job stays in the queue before being removed". What does that mean exactly? I would guess something like "if there are 25 AV threads and a 26th element enters the system and does not get a free thread within XX seconds, it is removed". And what does "is removed" mean exactly? "Block with <Anti-Malware Engine overloaded>"?

       

      5.) I feel like the thing to do to prevent users from cramming the system would be something like "if scanning of an object already took longer than XX seconds then stop scanning it and throw a specific block page" and this block page would tell the user to talk to his/her MWG admin about the object. There is no such property as "scanning of this object already took longer than XX seconds", is there?

       

      6.) Next best thing to do would be to go for object size (property Body.Size). But there are objects and objects. Some can be scanned pretty fast, some (notably big archives with lots of small files inside) take forever. Can I implement some sort of white list with media types? "If media type is on white list then allow downloading of objects up to XX MB. If it ist not then allow downloading of objects up to YY MB". This would require a MediaType property with early knowledge. Would something like "Body.Size greater than 10240000 AND MediaType.EnsuredTypes at least one in list XX" actually prevent scanning of an object?

       

      7.) There is a description of a property Body.IsAboveSizeLimit in the Product Guide which seems not to be known to MWG 7.3.2.4.0.

       

      Kind regards,

      Robert