Automated Virus Scanning Integration
Integrating automated malware detection into your upload pipeline ensures enterprise-grade security before files reach production storage. This workflow bridges Direct-to-Cloud Upload Patterns with robust Backend Validation & Cloud Storage Architecture to intercept threats at the edge.
By scanning files asynchronously, teams maintain low-latency user experiences while enforcing strict security defaults. The pipeline relies on cloud event notifications, isolated quarantine routing, and SDK-driven streaming.
Event-Driven Scan Triggers
Configure your cloud storage to emit ObjectCreated events immediately upon upload completion. These notifications invoke serverless functions without blocking the client connection. Always route initial payloads to an isolated quarantine bucket rather than your primary production directory.
This prevents accidental exposure during the validation window. Implement idempotency checks using object metadata or a tracking table to prevent duplicate scans from eventual-consistency retries.
// trigger-scan.js (Node.js 18+)
const { S3Client, CopyObjectCommand } = require("@aws-sdk/client-s3");
const { DynamoDBClient, PutItemCommand } = require("@aws-sdk/client-dynamodb");
const s3 = new S3Client({ region: process.env.AWS_REGION });
const ddb = new DynamoDBClient({ region: process.env.AWS_REGION });
exports.handler = async (event) => {
const record = event.Records?.[0];
if (!record) throw new Error("Invalid S3 event payload");
const { bucket, object: { key } } = record.s3;
const scanId = `${key}-${record.eventTime}`;
// Idempotency guard using conditional writes
try {
await ddb.send(new PutItemCommand({
TableName: process.env.SCAN_TRACKER_TABLE,
Item: { ScanId: { S: scanId }, Status: { S: "PENDING" } },
ConditionExpression: "attribute_not_exists(ScanId)"
}));
} catch (err) {
if (err.name === "ConditionalCheckFailedException") return;
throw new Error(`Idempotency check failed: ${err.message}`);
}
// Route to quarantine bucket for safe processing
await s3.send(new CopyObjectCommand({
CopySource: `${bucket}/${encodeURIComponent(key)}`,
Bucket: process.env.QUARANTINE_BUCKET,
Key: key,
MetadataDirective: "REPLACE",
Metadata: { "scan-status": "pending", "original-bucket": bucket }
}));
};SDK Integration & Security Defaults
Never load entire payloads into memory. Serverless environments enforce strict memory limits, and large files will crash the scanner. Instead, stream bytes directly from cloud storage to your antivirus engine using official SDKs.
Enforce TLS 1.2+ and signed requests for all engine communications. Integrate this step seamlessly with S3 Presigned URL Workflows to validate payloads before granting downstream access. Apply strict timeout defaults with exponential backoff to handle transient network failures.
# stream_scanner.py (Python 3.9+)
import boto3
import httpx
import asyncio
from botocore.exceptions import ClientError
SCANNER_ENDPOINT = "https://av-engine.internal/api/v1/scan"
MAX_RETRIES = 3
TIMEOUT_SEC = 30.0
async def scan_with_retry(bucket: str, key: str) -> dict:
s3 = boto3.client("s3")
attempt = 0
while attempt < MAX_RETRIES:
try:
response = s3.get_object(Bucket=bucket, Key=key)
stream = response["Body"]
# Stream in 1MB chunks to prevent memory exhaustion
async with httpx.AsyncClient(timeout=TIMEOUT_SEC, verify=True) as client:
async with client.stream("POST", SCANNER_ENDPOINT, content=stream) as resp:
resp.raise_for_status()
return await resp.json()
except (ClientError, httpx.RequestError) as e:
attempt += 1
if attempt == MAX_RETRIES:
raise RuntimeError(f"Scan failed after {MAX_RETRIES} attempts: {e}") from e
await asyncio.sleep(2 ** attempt) # Exponential backoffFor engine-specific configuration and containerized deployment strategies, refer to Implementing ClamAV for uploaded file scanning.
Result Routing & Metadata Indexing
Parse scan outputs to determine the next routing step. Tag objects with scan-status: clean, malicious, or error. Trigger downstream indexing pipelines exclusively for verified assets.
Implement a strict fail-closed policy where ambiguous or timed-out results default to quarantine rather than production. This ensures zero-trust compliance across your storage lifecycle.
// route-result.js (Node.js 18+)
const { S3Client, PutObjectTaggingCommand, CopyObjectCommand, DeleteObjectCommand } = require("@aws-sdk/client-s3");
const s3 = new S3Client({ region: process.env.AWS_REGION });
const ROUTING_POLICY = {
clean: { tag: "clean", action: "promote" },
malicious: { tag: "malicious", action: "quarantine" },
error: { tag: "error", action: "quarantine" }, // Fail-closed default
};
exports.routeScanResult = async (scanResult, quarantineBucket, productionBucket, key) => {
const verdict = scanResult?.verdict || "error";
const policy = ROUTING_POLICY[verdict] || ROUTING_POLICY.error;
await s3.send(new PutObjectTaggingCommand({
Bucket: quarantineBucket,
Key: key,
Tagging: { TagSet: [{ Key: "scan-status", Value: policy.tag }] }
}));
if (policy.action === "promote") {
await s3.send(new CopyObjectCommand({
CopySource: `${quarantineBucket}/${encodeURIComponent(key)}`,
Bucket: productionBucket,
Key: key,
TaggingDirective: "REPLACE",
Tagging: "scan-status=clean"
}));
await s3.send(new DeleteObjectCommand({ Bucket: quarantineBucket, Key: key }));
console.log(`Promoted ${key} to production.`);
} else {
console.log(`Quarantined ${key} due to ${verdict} verdict.`);
// Trigger alerting pipeline here
}
};Common Pitfalls & Mitigations
Blocking client uploads during synchronous scans
Waiting for scan completion before returning a 200 OK increases latency and causes frontend timeouts. Decouple uploads using presigned URLs and trigger scans asynchronously via event bridges.
Unbounded memory consumption on large files Loading entire payloads into function memory exceeds serverless limits and crashes the scanner. Use SDK streaming APIs to pipe bytes directly to the antivirus engine in fixed-size chunks.
False positives bypassing quarantine Default error handling may route failed scans to production storage instead of quarantine. Implement a strict fail-closed policy where any non-clean or timeout result defaults to quarantine until manual review.
Frequently Asked Questions
How do I handle scan timeouts for files over 1GB?
Implement chunked streaming with a serverless container that supports extended execution times. Alternatively, delegate to a managed malware detection API with built-in large-file support and resumable upload capabilities.
What happens if the scanning service goes down?
Route events to a dead-letter queue (DLQ) and enforce a fail-closed quarantine policy. The backlog remains isolated until the service recovers and processes pending payloads.
Can I skip scanning for trusted internal uploads?
Yes, by tagging uploads with a verified source header. Enforce strict IAM policies to prevent header spoofing and maintain immutable audit trails for compliance reviews.