Get ClamAV virus checking working in prod

[crisr15]

⚠ On hold pending Hyrax upgrade ⚠

Summary

Please set up ClamAV to scan files for viruses before they go into Fedora.

CalState set up clamAV but would like to know if anyone is using anything else in the community for virus checking.

Their concerns are that the open source virus scanning may not be the most up to date and safe, and that they had to use an older version in order to get it installed.

Acceptance Criteria

• get ClamAV running

[orangewolf]

I'm not aware of anyone using anything else, but we should ask in the Samvera Slack. ClamAV is really well supported for server level checking. Google (for example) uses it to implement the virus check in both Gmail and Google Docs. We should however look at the change long and see if the older version is a problem.

[crisr15]

• Create follow up ticket to create plan for getting some sort of antivirus working on their prod stack. This can be an interim solution so that they can then go to their IT group after having something up to then get assistance on making it better.

[crisr15]

Installed, but need to look at paths, etc.

[bkiahstroud]

Based on the digging I've done, I see two potential paths forward:

1. Install an older version of the ClamAV package and use the clamav gem

Pros:

• Requires fewer code changes
  • Hyrax v2.9.6 is set up to use the clamav gem already

Cons:

• Installing older versions of packages can be a security risk
• Most people have moved away from the clamav gem in favor of clamby in more recent versions of Hyrax
• Not sure which old version of ClamAV will work, or if installing older versions is possible

---

2. Install the latest version of the ClamAV package and use the clamby gem

Pros:

• Newest version of ClamAV means less security risk
• Future-proof; follows trend of community

Cons:

• Requires more code changes, including overriding Hyrax
  • v2.9.6 only allows use of ClamAV
  • However, newer versions allow you to swap our the virus scanner for whatever you want; may be able to backport this?

[bkiahstroud]

A fork of the clamav gem exists that has been updated semi-recently (2019). Try using the updates branch of this fork before trying anything else.

[bkiahstroud]

Attempting to use the forked version of the gem failed:

/usr/local/lib/ruby/2.7.0/singleton.rb:125:in `new': integer 281472773468224 too big to convert to `int' (RangeError)
        from /usr/local/lib/ruby/2.7.0/singleton.rb:125:in `block in instance'
        from /usr/local/lib/ruby/2.7.0/singleton.rb:123:in `synchronize'
        from /usr/local/lib/ruby/2.7.0/singleton.rb:123:in `instance'
        from /app/samvera/hyrax-webapp/config/initializers/clamav.rb:1:in `<top (required)>'

# config/initializers/clamav.rb
ClamAV.instance.loaddb if defined? ClamAV

The ClamAV object is a Singleton, and appears to be fundamentally broken in Ruby 2.7.0

[bkiahstroud]

It was discussed in a meeting that, if using the forked version of the gem failed, this ticket would wait until a Hryax upgrade happened so the app could be smoothly transitioned to using the clamby gem