Where exactly virus scanning is happening when a file uploaded via rest API. Could you someone help on this?

Hi, in Our organization we are using M-Files default rest API & a custom rest API. We have application & proxy server separate and both servers are defender Realtime scanning is enabled (as usual installation M-Files directory & process has been excluded from scanning), We are trying to find where exactly virus scanning is happening when a file uploaded via rest API. Could you someone help on this? (AMSI (Antimalware Scan Interface) is NOT enabled )

I tried to investigate this with help of process monitor tool in App & Proxy servers, but unable find any scan operation for uploaded files via rest API is happening.

Parents
  • If you are looking for where temp file is located, I'd go and feed a file that is guaranteed to raise an alarm (preferably, false positive :) ) via rest API.. 

    However, as this will raise alarm in anti-virus/anti-malware system, there is a good chance the M-Files and IIS executables will be quarantined and this most probably will comprimise IIS and M-Files operations. So, if I'm gonna do it, I'd do it in a test environment on off-hours :) 

  • In our test environment i enabled the Antimalware scan in our Application servers as below.
    second registry key not enabled, as we know our AV configured in a correct way.

    "EnableAntimalwareScanner"=dword:00000001”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    Then, i uploaded a EICAR.txt (Industry standard virus file for test file)  via rest API and got response that "Upload session is not found" and in server defender already quarantined the same.

    I tried to find the temp location where the detection happen with help of procmon tool, unfortunately unable to spot.
    But in AV report its processed and detected from M-Files installation directory & process.

    i have not tested this without AMSI, but need to verify this as well to know how it works.

Reply
  • In our test environment i enabled the Antimalware scan in our Application servers as below.
    second registry key not enabled, as we know our AV configured in a correct way.

    "EnableAntimalwareScanner"=dword:00000001”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    Then, i uploaded a EICAR.txt (Industry standard virus file for test file)  via rest API and got response that "Upload session is not found" and in server defender already quarantined the same.

    I tried to find the temp location where the detection happen with help of procmon tool, unfortunately unable to spot.
    But in AV report its processed and detected from M-Files installation directory & process.

    i have not tested this without AMSI, but need to verify this as well to know how it works.

Children