Anti-virus capability on your Silverstripe Cloud environment is optionally provided through the use of ClamAV, which runs as a service and allows your application code to submit files for a scan, such as using the community-maintained symbiote/silverstripe-steamedclam module.
There are some important factors to consider before you enable anti-virus on your Silverstripe Cloud environment.
Stack size
As ClamAV loads its definitions into memory when it's first launched, smaller stack sizes such as a Micro or Solo may not have enough memory, and the performance overhead of ClamAV can exhaust server resources, causing outages and preventing deployments from succeeding.
Mode of operation
ClamAV does not intercept network traffic, perform real-time filesystem scans, or perform scans on the assets folder unless requested by the website code. You must install a Silverstripe module or write custom code for your code to send files to the ClamAV service for them to be scanned.
Support options
ClamAV is provided on an as-is basis and support may be limited.
Installation
Installing ClamAV requires the following to be added to your .platform.yml file and the changes to be deployed.
environment:
prod:
clamav: {}
Once deployed, your module or code should be able to connect to the ClamAV service now running on the server.
Troubleshooting
Access denied / safe files being flagged
If ClamAV marking safe files as viruses, check to see if the permissions are correct on the file. They should be at least 0660 to ensure the www-data user and group can read and write to the file. ClamAV runs as a dedicated user as part of the www-data group, meaning as long as the group permissions are set correctly on the file, ClamAV should be able to scan it.