views:

377

answers:

4

My application deals with e-mails coming from different sources, e.g. Outlook and IMAP mailboxes. Before parsing them, I write them to the temporary directory (keeping them in memory is not an option). While parsing, I might be writing attachments to the temp directory (for example, if they are too large to keep in memory or for full-text extraction).

But in the wild, two things happen that seemed very strange in the first place but could all be traced back to virus scanner behaviour:

  • I'm sometimes unable to open files which I've written myself a few milliseconds ago. They are obviously locked by virus scanners to ensure that they are clean. I get an Exception.

  • If files are considered dangerous by the virus scanner, it deletes them at some point of time.

To cope with this behaviour, I've written a few methods that try again if open fails or do some checks if files exist, but I'm unable to use them in every part of the application (3rd party code, for example filters), so things got better, but not 100% perfect and my source code looks ugle in parts because of this.

How do you cope with virus scanners?

A: 

Virus scanner have exclude folders. Just look in the documentation and add your temp folder to this list.

Hapkido
It is a shrinkwrap application, not in-house. I could tell that to my users, but they would either ignore it or not read it at all.
Stefan Schultze
A: 

You should usually exclude the mail-filtering files from the virus scanner, and use a dedicated mail anti-virus program which sits in the incoming mail series of tubes. Definitely consider asking your users to turn off the 'delete infected files' option on their mail server, otherwise they might lose the mail database :-/. For instance, here's how you might configure the AV to ignore Exchange: http://www.sophos.com/support/knowledgebase/article/12214.html But another way to look at it is that there's a virus in the file, so you probably don't want to deliver it anyway ;-)

A previous answer said to change the permissions such that only your process can access the files. That won't work; any AV worth its salt will be running in the kernel and can access the files anyway.

Graham Lee
+4  A: 

If changing Virus scanner configuration is not the ideal option for you. Could you keep the file open from it's creation up to the end of your process? If you got an handle on the file, it will not be available for the Virus scanner.

Hapkido
+1  A: 

Write your files with encryption. I would think you wouldn't need anything too tricky or involved. Also encrypt or mangle the filenames as the virus scanner might be triggered by that as well.

Joel Lucsy
A pragmatic solution worth to consider. Unfortunately some files are written by 3rd party libraries that are unable to write to streams, but those could be handled in a different way.Doesn't solve problems with virus scanners locking files though.
Stefan Schultze
There are ways to "hook" the file writing process so that even your third-party libraries would write out encrypted. Perhaps even leaving the file handles open to avoid signaling to the virus scanners that you're done working with the file.
Joel Lucsy