Options
  • State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 373 views
  • Users 0 members are here
Related

Where exactly virus scanning is happening when a file uploaded via rest API. Could you someone help on this?

Ranjith M

Hi, in Our organization we are using M-Files default rest API & a custom rest API. We have application & proxy server separate and both servers are defender Realtime scanning is enabled (as usual installation M-Files directory & process has been excluded from scanning), We are trying to find where exactly virus scanning is happening when a file uploaded via rest API. Could you someone help on this? (AMSI (Antimalware Scan Interface) is NOT enabled )

I tried to investigate this with help of process monitor tool in App & Proxy servers, but unable find any scan operation for uploaded files via rest API is happening.

Parents
  • 0

    If you are looking for where temp file is located, I'd go and feed a file that is guaranteed to raise an alarm (preferably, false positive :) ) via rest API.. 

    However, as this will raise alarm in anti-virus/anti-malware system, there is a good chance the M-Files and IIS executables will be quarantined and this most probably will comprimise IIS and M-Files operations. So, if I'm gonna do it, I'd do it in a test environment on off-hours :) 

  • 0 in reply to CagriE

    In our test environment i enabled the Antimalware scan in our Application servers as below.
    second registry key not enabled, as we know our AV configured in a correct way.

    "EnableAntimalwareScanner"=dword:00000001”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    Then, i uploaded a EICAR.txt (Industry standard virus file for test file)  via rest API and got response that "Upload session is not found" and in server defender already quarantined the same.

    I tried to find the temp location where the detection happen with help of procmon tool, unfortunately unable to spot.
    But in AV report its processed and detected from M-Files installation directory & process.

    i have not tested this without AMSI, but need to verify this as well to know how it works.

Reply
  • 0 in reply to CagriE

    In our test environment i enabled the Antimalware scan in our Application servers as below.
    second registry key not enabled, as we know our AV configured in a correct way.

    "EnableAntimalwareScanner"=dword:00000001”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    Then, i uploaded a EICAR.txt (Industry standard virus file for test file)  via rest API and got response that "Upload session is not found" and in server defender already quarantined the same.

    I tried to find the temp location where the detection happen with help of procmon tool, unfortunately unable to spot.
    But in AV report its processed and detected from M-Files installation directory & process.

    i have not tested this without AMSI, but need to verify this as well to know how it works.

Children
  • 0 in reply to Ranjith M

    So no path of the file as it shows the path of blocked executables... I suppose you already checked the usual temp paths ? C:\Windows\Temp\.MFilesApplicationTemp and IIS temp ?

  • 0 in reply to CagriE

    Yes, no evidence that the file is detected from any temp path.
    Defender detects below M-Files directory alone before it executing. Another thing is that via rest API, Desktop client, web client, The detection/quarantine happens in Application server.

    Process: [XXX] MFServer.exe: "mfserver.exe" /SCM (Company: M-Files Corporation, Path: C:\Program Files\M-Files\"Version"\Bin\x64\MFServer.exe) was prevented from executing malicious code 

  • 0 in reply to Ranjith M

    Maybe the transport between web(proxy) and application server is not encrypted so the file gets detected by network watch component ? 

  • 0 in reply to CagriE

    I can confirm that during M-Files document processing time in Application server the detection is happening and blocking the same.

    How i confirmed as below.
    i have updated below registry value

    "EnableAntimalwareScanner"=dword:00000001”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    As below in application server & MFServer services restarted, meaning that antimalware scanning disabled. 

    "EnableAntimalwareScanner"=dword:00000000”
    "TreatAntimalwareScannerErrorsAsTransferBlockingErrors"=dword:00000000”

    Then i again uploaded a EICAR.txt file via rest API and its getting uploaded to the vault successfully.

M-Files
M-Files Support


© 2024 M-Files, All Rights Reserved.