--- title: "Enabling virus scanning for file uploads" date: "2024-02-14T06:18:38+00:00" summary: "Protect your Drupal site from malware with ClamAV virus scanning for file uploads. Learn how to enable and configure this security feature." image: type: "page" url: "/acquia-cloud-platform/enabling-virus-scanning-file-uploads" id: "50fd363e-de94-49ab-97da-2d34a586594b" --- You can enable virus scanning of file uploads for your Cloud Platform applications. Cloud Platform virus scanning uses [ClamAV](http://www.clamav.net). ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats. Acquia installs the ClamAV executable on all Cloud Platform infrastructure. To leverage ClamAV for virus scanning, you must install, enable, and configure the [ClamAV](https://www.drupal.org/project/clamav) module. This module connects to the ClamAV executable on your Cloud Platform infrastructure. Cloud Platform updates the ClamAV virus definitions daily. After you enable virus scanning, ClamAV protects your application from viruses uploaded by form file uploads and prevents uploaded files from being saved if it detects a virus. Configuring the ClamAV module ----------------------------- The ClamAV module, which is available for Drupal 7 and the [current Drupal version](/service-offerings/guide/software-life-cycle#supported-drupal-version), connects with ClamAV to scan files uploaded with CCK’s `filefield` widget, CCK’s `imagefield` widget, and normal Drupal form file uploads. To configure the ClamAV module: 1. In **Configuration**, select **ClamAV**. 2. In **Scan method**, select **Executable**. 1. Note You must set the same value for both Cloud Classic and Cloud Next environments. 1. In **Executable mode configuration**, in the **Executable path** field, enter `/usr/bin/clamscan`. 2. In **Verbosity**, select the **verbose** checkbox. 3. Click **Save configuration**. ClamAV thereafter scans all files uploaded to your application for viruses. If ClamAV finds a virus, it displays a message to the user reporting that the file could not be uploaded, and then logs the event to `stdout` and `stderr`, with the file name and virus name. You can then find the entry in the Acquia Cloud [drupal-watchdog log](https://docs.acquia.com/acquia-cloud-platform/drupal-watchdog-logs). Note * Cloud Classic does not include or support the use of ClamAV as a daemon. * Cloud Next only supports the daemon mode through an abstraction that points to the daemon mode even though the executable mode is selected. With this, customers get all the benefits of the daemon mode. 1. ### Scanning files that are already present ### Cloud Classic If you have uploaded files to your application using methods that differ from the normal Drupal upload methods, you can still use ClamAV to scan these files. Since this method uses CPU resources, Acquia recommends that you copy the files to your development or staging environment and scan files there, rather than in production. To scan files on your infrastructure, open a command prompt window and enter the following command: clamscan -ri The `r` parameter causes ClamAV to scan all files recursively, in the current directory and sub-directories, and the `i` parameter displays only the infected files, if any. You can also use the following cron command to run regular scans for your website: --any-- 0 * * * * /usr/bin/clamscan -ri /mnt/tmp/ | mail -s "hourly website clam results" myemail@example.com This command scans files if run in `/sites/default/files`. To scan code, the command must be run from the code directory. For a more configurable and extensible version of this command, you can download and use the [clam\_av\_script.sh.inc](https://docs.acquia.com/downloadable-resources#section-clamavscriptshinc) script, which provides configurable notification emails, in a cron command. ### Cloud Next If you have uploaded files to your application using methods that differ from the normal Drupal upload methods, you can still use ClamAV to scan these files. To scan files on your infrastructure, open a command prompt window and enter the following command: clamscan The preceding command scans the file specified as input and returns scan results. clamscan -i ClamAV scans all files recursively in the directory path provided as input in the preceding command and sub-directories. Use `i` parameter to display only the infected files, if any. For more information on creating cron commands that perform regular scans for your website, see [Creating scheduled jobs](https://cron.html#cloud-create-scheduled-jobs). Note The system does not support executable parameters and displays the following warning message in the CLI: WARNING: Ignoring unsupported option --recursive (-r) 1. ### Scanning exceptions ClamAV scans all files uploaded to your application for viruses. However, you can consider the following exceptional cases: * `clamscan` does not scan the database because it does not read binary data. * Even with a regular scan, malware may exist in the database or in your /tmp directory. * ClamAV cannot scan files whose size exceeds 1024 MB.