Geek Answers Handbook

Anti-virus scanners block and delete temporary files - the best way to deal with them?

My application deals with emails coming from various sources, for example. Outlook and IMAP. Before disassembling them, I write them to a temporary directory (saving them in memory is not an option). During parsing, I can write attachments to the temp directory (for example, if they are too large for storage in memory or for full-text extraction).

But in the wild, two things happen that at first seemed very strange, but they could all be traced back to the behavior of viruses:

  • Sometimes I can’t open files that I wrote myself a few milliseconds ago. They are obviously blocked by antivirus scanners to make sure they are clean. I get an exception.

  • If the files are considered dangerous using an anti-virus scanner, it deletes them at some point in time.

To cope with this behavior, I wrote several methods that will try again if open fails or some checks if files exist, but I can’t use them in every part of the application (third-party code for example filters), so everything became better, but not 100% excellent, and because of this, the source code looks ugly.

How do you deal with antivirus scanners?

+6
c # locking temporary-files antivirus
source share
4 answers

Record your files using encryption. I would think that you don’t need anything too complicated or involved. Also encrypt or cripple file names, as the virus scanner can also be launched.

+1
source share

If a scanner configuration change is not ideal for you. Could you keep the file open from its creation until the end of your process? If you have a file descriptor, it will not be available for the virus scanner.

+4
source share

Usually, you should exclude mail filter files from the anti-virus scanner and use a special anti-virus mail program, which is located in the incoming message series. Definitely ask your users to disable the "delete infected files" option on their mail server, otherwise they may lose the mail database: - /. For example, here's how you can configure AV to ignore Exchange: http://www.sophos.com/support/knowledgebase/article/12214.html But another way to look at this is that there is a virus in the file, so you probably do not want to deliver it, -)

The previous answer said to change permissions so that only your process can access the files. This will not work; any AV worthy of its salt will work in the kernel and can access files anyway.

0
source share

The virus scanner excludes folders. Just look at the documentation and add a temporary folder to this list.

-one
source share

More articles:


All Articles