Out of a strange twist of fate, I have found myself working on two separate pieces of work that share virus scanning of uploaded files within a web application as a requirement. The gist of the use case is:
– the user uploads a file
– the system scans it
– if a virus is detected, the system presents the user with a nice error message
It’s nothing spectacular and if you want to see implementations of it, you need look no further than Gmail/Hotmail/Yahoo Mail.
Having drilled through Google, there simply doesn’t seem to be much help readily at hand. Even commercial software doesn’t seem to offer much. If you’re looking around for a solution your options are:
– take the uploaded file and pipe it through an appliance via a web service or other. Not only is this time consuming but it smells like a kludge.
– run a natively installed virus scanner on the server and parse the response. This is even worse! What happens if you develop on Windows and deploy on Unix? How do you test this?
– use a native API provided by an anti-virus vendor. Doable, if any vendors actually exposed APIs. Did some quick checking and none of the big boys have it on feature sheets.
– use an adapter API that plugs over the top. Opswat provide an API which works from a number of languages on Windows and Unix. Pricing is not advertised (I instantly look elsewhere whenever I see this sort of thing).
I don’t have a satisfactory answer just yet. There has to be an easier way. Given the pervasiveness of this type of requirement I’m surprised that a JSR for virus scanning or an Open Source Java adapter hasn’t popped up.