File uploads to your Drupal site, scan for viruses!


Drupal is known to be a secure CMS. Drupal also provides much flexibility when it comes to providing a highly interactive user experience. Often this means allowing users to upload files of various types to your website, to provide a resumé for instance when reacting to a job vacancy.

Published on November 12, 2019

Why this is a problem

Allowing any user to user to upload files directly to your website introduces the risk of accepting virus infected files into your filesystem. The risk is much higher for anonymous (not logged in) users because they might be malicious users, but for business reasons it often makes sense to allow anonymous users to submit files. Further processing of infected files, like forwarding a submitted resumé to colleagues or external parties, allows the virus to spread. This could cause significant trouble and hurt SEO as well as your reputation as a dependable business partner.

Scan those files!

Scanning files that are uploaded by anonymous users to a site is something that is often overlooked. Fortunately this a problem that can be easily fixed! The most common way to solve this is by installing a virusscanner in your webhosting environment and let it scan each file that is uploaded. There are various options out there, but we use the open source virusscanner ClamAV to get the job done. In order to be able to scan uploads in your Drupal site there are 2 things you need to do:

1. Install the ClamAV binary file in your hosting environment

With high service managed hosting providers like Acquia or Pantheon this has often already been done for you. If you are hosting on a VPS or dedicated server you will have to install the binary yourself, see this guide for some help with that.

2. Install and configure the ClamAV Drupal module

Instructions are on the project page. Don’t forget to clear the cache of your Drupal installation after after you complet the install, most settings will not take effect until you do. After installation and configuration, you can verify the module is working correctly by trying to upload a fake virus to your website. For this purpose ClamAV is EICAR compliant, meaning you can upload the harmless EICAR anti-virus test file that will then be detected as a real virus if the installation works correctly.

Enjoy your hassle-free solution

This setup now allows for each file that is uploaded to your Drupal website to be scanned for viruses. An infected file will not be accepted into the filesystem and an entry into the site’s log is made so you can keep track of infected upload attempts.

Scanning uploaded files this way provides you with an extra layer of security in your website, protecting your organisation, SEO results and business reputation without site visitors even noticing…

planet drupal