How to Virus Scan Image Files in Azure Blob Storage using C# .NET Framework
The image files uploaded to & residing in our Azure Blob containers can contain viruses, malware, and even non-malware threats to our system. Scanning these files for latent threats should always remain a high priority.
Using the ready-to-run code provided below, we can take advantage of a free API to scan individual files residing in Azure Blob cloud storage for viruses, malware, and a variety of threatening content types.
The malware-focused portion of the scan performs signature-based scanning AND predictive zero-day threat scanning, while the content verification portion of the scan checks if files are valid.
The content verification service further identifies scripts, executables, HTML, embedded links/objects, and other threatening content types which attackers can use to exploit vulnerabilities in our applications. This also allows us to restrict file formats by entering a comma-separated list of acceptable file extensions in the API request body.
To set up our API call, we’ll need to start by obtaining a few important details about our Azure Blob container. We’ll need the following:
1. Connection String (get from the Access Keys tab of the Storage Account blade in the Azure Portal)
2. Container Name (name of the Blob container within the Azure Blob storage account)
3. Blob Path (path to the blob within the container; if the blob path contains Unicode characters, you’ll need to base64 encode the blob path and prepend with “base64”)
Now we can go ahead and install the SDK. Let’s run the following command in our Package Manager console to install via NuGet:
Install-Package Cloudmersive.APIClient.NET.VirusScan -Version 3.0.4Next, let’s focus on request authorization. We’ll need a free-tier API key to make our API calls, and this will allow us to scan up to 800 files per month with no commitments.
Finally, let’s go ahead and call our blob-scanning function.
using System;
using System.Diagnostics;
using Cloudmersive.APIClient.NET.VirusScan.Api;
using Cloudmersive.APIClient.NET.VirusScan.Client;
using Cloudmersive.APIClient.NET.VirusScan.Model;
namespace Example
{
public class ScanCloudStorageScanAzureBlobAdvancedExample
{
public void main()
{
// Configure API key authorization: Apikey
Configuration.Default.AddApiKey("Apikey", "YOUR_API_KEY");
var apiInstance = new ScanCloudStorageApi();
var connectionString = connectionString_example; // string | Connection string for the Azure Blob Storage Account; you can get this connection string from the Access Keys tab of the Storage Account blade in the Azure Portal.
var containerName = containerName_example; // string | Name of the Blob container within the Azure Blob Storage account
var blobPath = blobPath_example; // string | Path to the blob within the container, such as 'hello.pdf' or '/folder/subfolder/world.pdf'. If the blob path contains Unicode characters, you must base64 encode the blob path and prepend it with 'base64:', such as: 'base64:6ZWV6ZWV6ZWV6ZWV6ZWV6ZWV'.
var allowExecutables = true; // bool? | Set to false to block executable files (program code) from being allowed in the input file. Default is false (recommended). (optional)
var allowInvalidFiles = true; // bool? | Set to false to block invalid files, such as a PDF file that is not really a valid PDF file, or a Word Document that is not a valid Word Document. Default is false (recommended). (optional)
var allowScripts = true; // bool? | Set to false to block script files, such as a PHP files, Python scripts, and other malicious content or security threats that can be embedded in the file. Set to true to allow these file types. Default is false (recommended). (optional)
var allowPasswordProtectedFiles = true; // bool? | Set to false to block password protected and encrypted files, such as encrypted zip and rar files, and other files that seek to circumvent scanning through passwords. Set to true to allow these file types. Default is false (recommended). (optional)
var allowMacros = true; // bool? | Set to false to block macros and other threats embedded in document files, such as Word, Excel and PowerPoint embedded Macros, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended). (optional)
var allowXmlExternalEntities = true; // bool? | Set to false to block XML External Entities and other threats embedded in XML files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended). (optional)
var restrictFileTypes = restrictFileTypes_example; // string | Specify a restricted set of file formats to allow as clean as a comma-separated list of file formats, such as .pdf,.docx,.png would allow only PDF, PNG and Word document files. All files must pass content verification against this list of file formats, if they do not, then the result will be returned as CleanResult=false. Set restrictFileTypes parameter to null or empty string to disable; default is disabled. (optional)
try
{
// Advanced Scan an Azure Blob for viruses
CloudStorageAdvancedVirusScanResult result = apiInstance.ScanCloudStorageScanAzureBlobAdvanced(connectionString, containerName, blobPath, allowExecutables, allowInvalidFiles, allowScripts, allowPasswordProtectedFiles, allowMacros, allowXmlExternalEntities, restrictFileTypes);
Debug.WriteLine(result);
}
catch (Exception e)
{
Debug.Print("Exception when calling ScanCloudStorageApi.ScanCloudStorageScanAzureBlobAdvanced: " + e.Message );
}
}
}
}When we copy the above code into our file, let’s make sure to customize the various threat rules to our liking. It’s safest to set every Boolean to “false”, and if we want to limit file types altogether, we can enter a comma separated list such as “.png,.pdf,.jpg” into the restrictFileTypes parameter. This means any files that don’t pass in-depth content verification checks against those file types will be flagged.
