How to Check for Obfuscated Malware Threats in AWS S3 Storage using Node.js
Obfuscated malware threats are typically customized to bypass our antivirus software policies without our knowledge. When obfuscated files slip through our nets, we might not recognize imminent threats to our system for days, weeks, or even months before accidentally executing those files contents and initiating a cyberattack.
One particularly vulnerable location for obfuscated malware threats is cloud storage. If, for example, we allow direct file uploads through one of our client-facing web applications and store those files in an S3 bucket, we might unwittingly harbor malicious content in that bucket and put internal or external clients at risk of initiating an attack.
Thankfully, using the below code, we can take advantage of an API designed to scan files in our AWS S3 buckets for viruses, malware, and custom (obfuscated) content threats. This service detects virus and malware threats dynamically (leveraging zero-day threat analysis methods along with signature-based threat detection), and it also allows us to set rules against unnecessary & potentially threatening file types to drastically mitigate obfuscated content threats. We can, for example, set rules to categorically block executables, invalid files, password-protected files, unsafe archives, and more. Each excluded file type will be detected through in-depth content verification (reading past the file extension).
To authorize our requests for free, we’ll just need a free-tier API key — this will allow us to make up to 800 file scans per month with no additional commitments.
We can then structure our API call in a few quick steps. First, we need to install the SDK, which we can do by either running this command:
npm install cloudmersive-virus-api-client --saveOr by adding this snippet to our package.json:
"dependencies": {
"cloudmersive-virus-api-client": "^1.1.9"
}Next, before we call our function, we’ll need to have the following mandatory request parameters ready:
- Access Key — the AWS S3 access key for the S3 bucket
- Secret Key — the AWS S3 secret key for the S3 bucket
- Bucket Region — the name of the region of the S3 bucket
- Bucket Name — the name of S3 bucket
- Key Name — also called the file name; the name of the file in S3 that you want to scan (must be base64 encoded and prepended with ‘base64’)
- (Optional) Role ARN — for advanced access using the Security Token service
Once we have the mandatory information ready, we can customize our threat detection parameters and call the function using the below code:
var CloudmersiveVirusApiClient = require('cloudmersive-virus-api-client');
var defaultClient = CloudmersiveVirusApiClient.ApiClient.instance;
// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';
var apiInstance = new CloudmersiveVirusApiClient.ScanCloudStorageApi();
var accessKey = "accessKey_example"; // String | AWS S3 access key for the S3 bucket; you can get this from My Security Credentials in the AWS console
var secretKey = "secretKey_example"; // String | AWS S3 secret key for the S3 bucket; you can get this from My Security Credentials in the AWS console
var bucketRegion = "bucketRegion_example"; // String | Name of the region of the S3 bucket, such as 'US-East-1'
var bucketName = "bucketName_example"; // String | Name of the S3 bucket
var keyName = "keyName_example"; // String | Key name (also called file name) of the file in S3 that you wish to scan for viruses. If the key name contains Unicode characters, you must base64 encode the key name and prepend it with 'base64:', such as: 'base64:6ZWV6ZWV6ZWV6ZWV6ZWV6ZWV'.
var opts = {
'allowExecutables': true, // Boolean | Set to false to block executable files (program code) from being allowed in the input file. Default is false (recommended).
'allowInvalidFiles': true, // Boolean | Set to false to block invalid files, such as a PDF file that is not really a valid PDF file, or a Word Document that is not a valid Word Document. Default is false (recommended).
'allowScripts': true, // Boolean | Set to false to block script files, such as a PHP files, Python scripts, and other malicious content or security threats that can be embedded in the file. Set to true to allow these file types. Default is false (recommended).
'allowPasswordProtectedFiles': true, // Boolean | Set to false to block password protected and encrypted files, such as encrypted zip and rar files, and other files that seek to circumvent scanning through passwords. Set to true to allow these file types. Default is false (recommended).
'allowMacros': true, // Boolean | Set to false to block macros and other threats embedded in document files, such as Word, Excel and PowerPoint embedded Macros, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
'allowXmlExternalEntities': true, // Boolean | Set to false to block XML External Entities and other threats embedded in XML files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
'restrictFileTypes': "restrictFileTypes_example" // String | Specify a restricted set of file formats to allow as clean as a comma-separated list of file formats, such as .pdf,.docx,.png would allow only PDF, PNG and Word document files. All files must pass content verification against this list of file formats, if they do not, then the result will be returned as CleanResult=false. Set restrictFileTypes parameter to null or empty string to disable; default is disabled.
};
var callback = function(error, data, response) {
if (error) {
console.error(error);
} else {
console.log('API called successfully. Returned data: ' + data);
}
};
apiInstance.scanCloudStorageScanAwsS3FileAdvanced(accessKey, secretKey, bucketRegion, bucketName, keyName, opts, callback);Now we can systematically check files in our AWS S3 storage buckets for viruses without having to risk moving those files around our system.
