This article will discuss one of the ways to implement antivirus file scanning using C1Upload in the ASP.Net applications. Viruses, Trojan Horses, and different malware and spyware pose a real problem for current computer environments, and especially for the Windows operating system. If you are designing any application in .Net that is required to be able to upload external files, you have a potential security risk. It is quite common to have this type of requirement in a web application. ASP.Net does not have any means to do the antivirus scan right out of the box. This is primarily because ASP.Net is a programming language, and does not have any virus scanning packages. The cause for this arrangement is mainly because it is a daunting task to deal with viruses that are constantly evolving along with the task of keeping virus definitions up-to-date. Large companies, such as McAffee, Symantec, or Zone Labs develop virus detecting and combating products and spend a lot of resources to maintain them. For the purposes of this article, we will use AVG 10 (Free version) (http://www.freeavg.com/?lng=in-en&cmpid=free). The architecture is as follows: A server machine needs to have Anti-virus applications running at all times. When a file is uploaded, the file is scanned using AVG 10 and if the file is infected, delete the file using File.Delete() method. Other optimizations can probably be made, like using AVG’s built-in cleaning switch; however, we chose to do the file cleanup manually using File.Delete(). If you have an account on Yahoo mail, you have probably seen that Yahoo is using Norton Antivirus to scan all attachments in a similar way. If you do not have Yahoo mail or are confused by the way its anti-virus methods are set up, you are about to learn how to manage anti-virus file scanning from ASP.Net applications. Lets get started.

Project Setup

1. Place C1Upload on the webpage. 2. Click the smart tag to open C1Upload’s task menu and click Register in web.config to register the C1Upload control in your web.config file. 3. Create a folder (C:\Upload) on disk [C:]. 4. Create two sub folders under that folder, one with name, “Temp”, the other with name “Target” as below: C:\UploadFolder\Temp C:\UploadFolder\Target 5. In your project open the .aspx file and change the value of the TempFolder property to “C:\UploadTemp”. Then, change the value of the TargetPhysicalFolder property to “C:\Upload\Target” like shown below: TempFolder="C:\UploadFolder\Temp" TargetPhysicalFolder="C:\UploadFolder\Target" 6. Set the ValidFileExtensions property to “.doc,.jpg" to filter the type of files that can be uploaded. 7. Place a Label control on the webpage without any text to display messages after the upload process.

Virus Scan

Now comes the process of scanning the file. We will subscribe the Validating event of C1Upload and scan the file being uploaded. For this, we will run an instance of the AVG application and check whether the file is infected or not. The results of the virus scan are written in a Report.txt which is saved in the Temporary storage of C1Upload ( Upload\Temp folder). Next, we will use a StreamReader object to read the Report.txt file and check whether it contains a “Found infections” string. If the string is found then we will cancel the upload process by calling e.IsValid = False and we will then delete the file being uploaded using File.Delete().

 protected void C1Upload1_ValidatingFile(object sender, C1.Web.UI.Controls.C1Upload.ValidateFileEventArgs e)  
{  
    foreach (C1FileInfo file in C1Upload1.UploadedFiles)  
    {  
        try  
        {  
            //do av check here  
            Process myProcess = new Process();  

            //address of command line virus scan exe  
            myProcess.StartInfo.FileName = "C:\\\Program Files\\\AVG\\\AVG10\\\avgscana.exe";  
            string myprocarg = "/SCAN="   e.UploadedFile.TempFileName   " /REPORT=C:\\\Upload\\\Temp\\\Report.txt";  
            myProcess.StartInfo.Arguments = myprocarg;  
            myProcess.Start();  
            myProcess.WaitForExit(); //wait for the scan to complete                  

            //add some time for report to be written to file  
            int j = 0;  
            int y = 0;  
            for (j = 0; j <= 1000000; j  )  
            {  
                y = y   1;  
            }  

            //Get a StreamReader class that can be used to read the file  
            StreamReader objStreamReader = default(StreamReader);  
            objStreamReader = File.OpenText("C:\\\Upload\\\Temp\\\Report.txt");  
            if (!objStreamReader.ReadToEnd().Contains("Found infections    :    0"))  
            {  
                e.IsValid = false;  
                File.Delete(e.UploadedFile.TempFileName);  
            }  
            objStreamReader.Close();  

            if (e.IsValid)  
            {  
                Label1.Text = "Your File Uploaded Sucessfully at server as: "   e.UploadedFile.FileName   "It was checked with AVG Free Anti-Virus.";  
            }  
            else  
            {  
                Label1.Text = "Error! "   e.UploadedFile.FileName   " contains a virus. It has been deleted from the server.";  
            }  
        }  
        catch (Exception Exp)  
        {  
            Label1.Text = "An Error occured & all files have been removed. Please check the attached file(s).";  
            e.IsValid = false;  
            File.Delete(e.UploadedFile.TempFileName);  
        }  
    }  
}

Conclusion

In this article, we have discussed how to handle anti-virus file scanning from ASP.Net applications. The scanning implementations currently available on the market are proprietary to the third-party vendors such as McAfee. You will need to buy a license to use internal APIs of such Anti-Virus packages. Download Sample