Blocking Malicious File Uploads, Part 2: OPSWAT Antivirus APIs

Hacked via File Upload

If file uploads are essential for your business to run, there are several steps you need to take in order to ensure that no infected, malicious, or otherwise compromised files are uploaded into your system.

See Part 1 of this series.
See Part 3 of this series.

Integrate with Antivirus APIs

The first and most important step to take is to scan all file uploads for known malware.

The workflow should be clear and simple: Any uploaded file should be analyzed for known malware, and the file shouldn't be made available to end users until the analysis is complete.

Depending on the API integration and the volume of files being uploaded, this can cause a delay that varies from a few hundred milliseconds to actual minutes. This might be a drawback for some businesses, so align your business needs to your implementation — if you need the files analyzed in a fraction of a second, you need to rely on an antivirus API integrated directly in your infrastructure.

For such an integration, you can either integrate directly with an antivirus API or use third-party solutions that expose an API on top of the antivirus API. There are a few solutions out there that expose one or multiple antivirus APIs, but the best tactic is to analyze uploaded files using multiple anti-malware engines.

For better detection rates, use a multi-scanning solution, instead of a single antivirus API. OPSWAT offers REST APIs in order to make multi-scanning technology available for this kind of use case.

Always Sanitize Productivity Files

More and more attackers are using common file types to deliver targeted malware attacks. Malware, especially ransomware, can infect devices by using embedded objects such as scripts and macros in common file types used for productivity.

Macros were always a pain point in fighting against malware, but nowadays there are a lot more advanced threats. It is hard to discover all threats that may be present within files by using static analysis, since the content of the file itself usually is not malicious, but an embedded object will perform the malicious behavior (by downloading a malicious payload, getting access to PowerShell, etc.).

Static analysis can be supplemented with dynamic analysis, but a sandbox environment will never perfectly match a user's real-time environment, so the malware's evasion techniques don't even have to be particularly advanced to evade detection.

That's why the best solution for blocking these kinds of attacks is data sanitization.

What does "data sanitization" actually mean?

"Data sanitization" means taking a productivity file, breaking it down into small parts, and analyzing each part separately. For instance, any Word document can contain embedded images, links, tables, etc. Each of those objects should be analyzed and sanitized as well.

As an example, if you allow resumes to be uploaded through your portal, a PDF with embedded JavaScript should be considered suspicious. Stripping the embedded JavaScript will remove the potential threat while keeping the PDF's content and usability intact.

Data sanitization (Content Disarm and Reconstruction) can be considered a remediation tool that will allow you to accept productivity files while eliminating the risk of hidden malicious content.

With OPSWAT's API offerings, data sanitization can be incorporated into any organization's internal solution for handling file uploads.

Handling Archive File Uploads

Archives are often necessary for productivity, since they are a very common way of sharing multiple files at once. For this reason, system administrators may need to allow archive file uploads.

Unfortunately, files that ordinarily would be blocked could be hidden in an archive. Or worse, malicious actors could send a crafted archive that turns out to be an archive bomb.

To eliminate these threats, the archive's recursion levels should be limited, along with the number of files in the archive. Then for each file in the archive (iterate through all the levels), start scanning and sanitizing the files within.

These steps are difficult to implement unless you're able to use APIs for a customized solution. OPSWAT's anti-malware APIs allow for just this kind of archive handling.

OPSWAT MetaDefender Antivirus APIs

OPSWAT offers MetaDefender REST API integrations for:

All these technologies are necessary for truly secure file uploading.

See Part 1 of this series.
See Part 3 of this series.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.