You are viewing limited content. For full access, please sign in.

Question

Question

Anti-Virus with Forms Upload File

Forms
Updated October 6, 2023
asked on August 25, 2014

We're looking to have a public facing Forms Portal with a File Upload field.  This form is sending to Laserfiche after the submission.  Is it possible to scan all attachments with an anti-virus software on the Upload File field BEFORE it gets into the repository?  Thanks! 

 

If that's not possible, I'm thinking that we set up a staging repository with its volume outside the firewall.  We can have the anti-virus scan the staging area and the volume.  Once it's finished and there are no threats, we can migrate the documents to another repository.  

0 0

Answer

APPROVED ANSWER
replied on June 15, 2020

Bringing some discussion from the comments in the first response out to it's own response...

With the release of Forms 10.4.4, you will now be able to save file uploads to a folder location instead of directly in the Forms database. Although this integration was not tested internally, this may allow you to run anti-virus scans on those uploads. Feel free to give it a try and post any results here. 

 

1 0

Replies

replied on February 23, 2018 Show version history

Here are additional details on how to achieve AV integration with Laserfiche Forms.

1. AV Software - You will need an AV software application.

2. AV WS - If the AV software does not already have a built-in WS, then will also need an AV WS which connects to the AV software API using whichever protocol that AV software supports, e.g. HTTP, ICAP, etc. This AV WS will act as an interfacing WS between Laserfiche Forms and the AV software because most likely your AV software will be installed on an internal network whereas the Forms Server may be out in the DMZ.

  • If the AV application supports then we suggest converting the uploaded file into base64 or binary string for AV scan instead of sending the file and saving a copy on the AV server.

 

3. Custom Forms Upload - Update Forms JS file to call the AV Web Service upon upload.

         File to update: Laserfiche\Laserfiche Forms\Forms\js\form\newfileupload.js

  • Put the AV scan custom logic at the last step of Forms upload validation so that it is only run once all other validations pass but before the file is actually uploaded. 
  • Two pieces of code to be updated one for new browser and one old browser.

 

For new browsers, code snippet to be inserted as shown below:          

Similarly, for old browsers there is a flash based control “flashUpload”.

  • Always backup the original “newfileupload.js” file just in case rollback is needed.
  • The “newfileupload.js” will need to be updated with your custom logic for every new version upgrade of the Forms Server, and hence maintained separately.

 

4. [Optional] “Please Wait” gif image – Can create a please wait gif image to be shown on the form when document is being scanned. Can place gif into \Forms\img\ folder and access it within your code.

5 0
replied on August 25, 2014

Thanks for the quick response, Rob! Perhaps an AV software like this one could work?

 

http://www.opswat.com/products/metascan/use-cases

 

1 0
replied on August 26, 2014

That does look like it could potentially work, but I don't have firsthand experience using it in conjunction with the file upload field in Forms, so I can't promise that it will work as we expect.  It might be wise to see if they offer any free trials so you can test it before making a full purchase.

 

If you do move forward and test it, please come back to update this post with your results!  I'm very interested to hear if this is a viable option!

0 0
replied on July 19, 2017

Hi Shelby, 

 

Just checking if you did test this option with the public portal? 

 

Thank you in advance,

Ziad

1 0
replied on August 25, 2014

Hello Shelby,

 

This is a feature that the Forms development  team may be implementing in the future.  There may be methods by which you can run anti-virus scans on the file in the database before it's stored in the repository, but I'm not sure exactly how that would behave if a threat was discovered.

 

In terms of what's currently available, you're able to modify the allowed extensions for the file upload field to restrict the files to be of a certain set of extensions.  Check out #5 in the help files for more information.

 

Only allowing for certain file formats (.doc, .pdf, etc.) covers most of our bases here, but certain loopholes may still be a concern.  For example, .doc files can have a macro containing a virus and .exe files can be renamed to a seemingly harmless .pdf (that would need to be renamed back to .exe in order to run the virus, but still a threat nonetheless).

 

To summarize, if the file extension security is not comprehensive enough, it seems like the best option at this point is what you had written in the original post.

0 0
View 11 previous replies
replied on May 10, 2016

Rob - do you have any updates to this virus scan request?

 

0 0
replied on December 20, 2016

Can I please get an update on the status of this feature request?  With the dramatic rise in ransomware and other cyber security threats we need to have some options for securing file uploads from Forms.  Can we at least know if it is on the roadmap or whether we have to implement our own workarounds?  Even if it is not on the roadmap I'm hoping Laserfiche some can provide a detailed work around.

Thanks.

0 0
replied on May 2, 2017

I also am looking for an update on the status of this feature request.  Please advise.

0 0
replied on May 15, 2017

I'm also very interested in this and getting user requests.

0 0
replied on July 4, 2017

Hi All,

 

Are there any updates on this, as this is now a requirement for the client we are currently working with?

 

Thanks

Ziad

0 0
replied on December 11, 2018

We are trying to implement the same thing.  PDF files are not as safe as all believe.  Any update on this? 

Thank you,

Carolina

0 0
replied on December 11, 2018

Cities Digital has an integration available to perform virus scanning on all files uploaded to Laserfiche Forms before they are saved to the Forms database.  

 

The demo video is available on the Cities Digital YouTube page:  https://youtu.be/J2cvgiEc_Mk

0 0
replied on March 9, 2020

Do you know of anyone who has integrated with the plugin Cities Digital has created?  Would like to know more about their experience.  The server OS level, the version of ESET antivirus purchased, etc.

0 0
replied on March 10, 2020

Hi Mary,

Many users are using the CDI Forms Portal Virus Scan. Give us a call if you're looking to learn more. 855-714-2800 or Sales@CDI.Support

0 0
replied on June 12, 2020

Is there any update on if antivirus scanning will be a feature added in a future release? 

0 0
replied on June 12, 2020

Melissa,

In Forms 10.4.4 you have the ability to store uploaded attachments in the Windows folder structure instead of the database. That will allow for an antivirus software to scan that folder.

2 0
replied on June 12, 2020

I actually just remember that! 

0 0
replied on June 15, 2020

Isn't 10.4.3 the current release of Forms?  Where do I get 10.4.4?

 

0 0
replied on June 15, 2020

10.4.4 was just added to the Laserfiche 10.4.2 download package.

0 0
replied on October 1, 2015

Any updates to this information?

0 0
replied on July 1, 2017

Hi All,

 

Are there any updates on this, as this is now a requirement for the client we are currently working with?

 

Thanks

Ziad

0 0
replied on July 6, 2017

Hi All,

 

Are there any updates on this?

 

Thanks

Ziad

0 0
replied on July 12, 2017

Hi All,

 

Are there any updates on this, as this is now a requirement for the client we are currently working with?

 

Thanks

Ziad

0 0
replied on July 13, 2017

There are no updates from the Forms side implementing this as a feature. The method Shelby described sounds like it would work, but I have no updates on if it worked or was even attempted.

0 0
replied on January 26, 2018

Are than any updates on this? I have a client who wants to know as well.

0 0
View 1 previous reply
replied on January 28, 2018

As a concept it is possible. The upload function is available in \Program Files\Laserfiche\Laserfiche Forms\Forms\js\form\newfileupload.js file which you can tweak such that before any upload, your custom code sends the file to an anti-virus server. Depending on the results of the scan, it resumes the upload process or rejects the file displaying an error to the user. This would be an ideal front-end check. Another option to consider is to have a Workflow activity after submission where the Workflow server verifies the file and then sends them to repository rather than Forms Server saving directly. In this design the user does not know that his file was eventually rejected. Also the file would already be in the Forms DB even if it is not saved in the repository.

0 0
replied on January 29, 2018

Hi Pragya, 

 

Hope all is well,

Is there any documentation you can provide for this solution to test?

 

Thank you

Ziad

0 0
replied on January 31, 2018

@Ziad, we can share more information in sometime because we are in the middle of a similar test. Give us like a couple of weeks, and we will update this post with more details. 

2 0
replied on February 1, 2018

@████████ , please do. I have a client who would like to utilize the first suggestion you've made, we'd like to know the tweaks made to the js file. 

1 0
replied on May 28, 2020

Bump. I am recently trying to do some customization following the method - however one thing I am not like after modify the "newfileupload.js" all upload control HAVE to go through that virus check step. Is there a way to modify the designer to allow set a flag to enable/disable virus scan feature?

 

0 0
replied on July 29, 2021

Hey Luke,

 

Can you please share what sort of modifications you made to the newfileupload.js We are trying to implement this, but are not sure how.

 

Thank you

0 0
replied on October 7, 2021 Show version history

hi Julian, sorry just notice your question.  The method is straight forward according to the thread. The most important part is to build your own web service to do the AV scan and expose a web service call API for the javascript code to access. The location of the call is pointed out by the thread I follow. If you're not familiar with javascript code or web service, it's better not use method as it has many draw backs other than the benefit.

Since Laserfiche Form 10.4.4,  it's possible to store uploaded file to an external location other than the Form Database. This opens the possibility that allow AV service to monitor/scan those uploads before it being used.  I expect Laserfiche will enhance the "Form Uploads" and gives user feedback whether the file uploads success or not before form submission.

0 0
replied on July 29, 2021

Are there any updates on how to achieve this?

0 0
replied on October 6, 2023

This feature is not available out of the box with the Laserfiche product. 

https://www.cdi.support/_files/ugd/6f443f_b7655f893bea483fb577c5cff31f7857.pdf?index=true

Virus Scan Integration by CDI.   

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...