-
Notifications
You must be signed in to change notification settings - Fork 0
security_malware_scanner
GitHub Actions edited this page Jan 2, 2026
·
1 revision
Version: v1.3.0
Stand: Dezember 2025
Status: ✅ Implementiert (Audit-Anforderung)
Kategorie: 🔒 Security
Der ThemisDB Malware Scanner ist eine Sicherheitskomponente in der Content-Ingestion-Pipeline. Er prüft alle eingehenden Dateien auf Schadsoftware, bevor diese in der Datenbank gespeichert werden.
| Anforderung | Standard | Status |
|---|---|---|
| Malware Protection | BSI C5 (OPS-12) | ✅ Implementiert |
| Controls against malware | ISO 27001 A.12.2.1 | ✅ Implementiert |
| Supply chain security | NIS2 Art. 21(2)(d) | ✅ Implementiert |
| Security monitoring | SOC 2 CC6.8 | ✅ Implementiert |
┌─────────────────────────────────────────────────────────────┐
│ Content Import Request │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ MalwareFilterManager │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Signature │ │ ClamAV │ │ Custom Scanner │ │
│ │ Scanner │ │ (Optional) │ │ (Extensible) │ │
│ │ (Built-in) │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
┌───────────────┴───────────────┐
│ │
▼ ▼
┌────────────────┐ ┌────────────────┐
│ BLOCKED │ │ ALLOWED │
│ (Threat found)│ │ (Content clean)│
└────────────────┘ └────────────────┘
│ │
▼ ▼
┌────────────────┐ ┌────────────────┐
│ Audit Log │ │ Store Content │
│ (SECURITY) │ │ + Audit Log │
└────────────────┘ └────────────────┘
# config/security.yaml
malware_scan:
enabled: true # Master-Schalter
block_on_threat: true # Uploads bei Bedrohung blockieren
block_threshold: MEDIUM # Minimum-Level für Blockierung (CLEAN, LOW, MEDIUM, HIGH, CRITICAL)
scan_all_files: true # Alle Dateien scannen (nicht nur ausführbare)
max_scan_size_mb: 100 # Maximale Dateigröße für Scan (MB)
scan_timeout_seconds: 30 # Timeout pro Scanner
require_all_scanners: false # Alle Scanner müssen bestehen
audit_logging: true # Scan-Ergebnisse loggen
# MIME-Types, die übersprungen werden
skip_mime_types: []
# Aktivierte Scanner (leer = alle)
enabled_scanners:
- SignatureScanner
- ClamAV # Optional, falls ClamAV installiert
# ClamAV-Konfiguration (optional)
clamav:
host: "127.0.0.1"
port: 3310{
"malware_scan": {
"enabled": true,
"block_on_threat": true,
"block_threshold": "MEDIUM",
"scan_all_files": true,
"max_scan_size_mb": 100,
"scan_timeout_seconds": 30,
"require_all_scanners": false,
"audit_logging": true,
"skip_mime_types": [],
"enabled_scanners": ["SignatureScanner", "ClamAV"]
}
}| Level | Beschreibung | Standardaktion |
|---|---|---|
| CLEAN | Keine Bedrohung erkannt | Zulassen |
| LOW | Potenziell unerwünscht (PUA) | Zulassen + Warnung |
| MEDIUM | Verdächtig (Signatur-Match) | Blockieren (Standard) |
| HIGH | Malware erkannt | Blockieren |
| CRITICAL | Bekannte gefährliche Malware | Blockieren |
Der integrierte Signatur-Scanner erkennt:
- Ausführbare in Dokumenten: PE (Windows), ELF (Linux), Mach-O (macOS) Header in nicht-ausführbaren MIME-Types
-
Doppelte Dateiendungen: z.B.
report.pdf.exe - Archivbomben: Verdächtige verschachtelte Archive (ZIP-Bomben)
- Bekannte Malware-Signaturen: EICAR Test, Ransomware-Muster
- Verdächtige Muster: PowerShell-Encoded, Office-Makros
// C++ API
auto scanner = std::make_unique<SignatureScanner>();
scanner->addSignature(
"Custom_Malware", // Name
"4D616C776172655369676E", // Hex-Pattern
0, // Offset (0 = Start, -1 = überall)
ThreatLevel::HIGH // Threat Level
);
malware_filter->registerScanner(std::move(scanner));Verbindet sich mit einem ClamAV-Daemon für professionelles AV-Scanning.
# ClamAV installieren
sudo apt-get install clamav clamav-daemon
# Signaturen aktualisieren
sudo freshclam
# Daemon starten
sudo systemctl start clamav-daemon
sudo systemctl enable clamav-daemon
# Status prüfen
clamdscan --ping# docker-compose.yml
services:
clamav:
image: clamav/clamav:latest
ports:
- "3310:3310"
volumes:
- clamav-data:/var/lib/clamav
restart: unless-stopped
volumes:
clamav-data:Eigene Scanner können durch Implementierung des IMalwareScanner-Interfaces hinzugefügt werden:
class MyCustomScanner : public IMalwareScanner {
public:
std::string getName() const override { return "MyScanner"; }
bool isAvailable() const override { return true; }
ScanResult scan(
const std::string& data,
const std::string& filename,
const std::string& mime_type
) override {
ScanResult result;
result.scanner_name = getName();
// Eigene Scan-Logik hier
return result;
}
std::string getVersion() const override { return "1.0"; }
std::optional<std::chrono::system_clock::time_point> getLastUpdate() const override {
return std::nullopt;
}
};# HELP themis_malware_scans_total Total number of malware scans
# TYPE themis_malware_scans_total counter
themis_malware_scans_total 12345
# HELP themis_malware_clean_scans_total Number of clean scans
# TYPE themis_malware_clean_scans_total counter
themis_malware_clean_scans_total 12340
# HELP themis_malware_threats_detected_total Number of threats detected
# TYPE themis_malware_threats_detected_total counter
themis_malware_threats_detected_total 5
# HELP themis_malware_blocked_uploads_total Number of blocked uploads
# TYPE themis_malware_blocked_uploads_total counter
themis_malware_blocked_uploads_total 3
# HELP themis_malware_scan_errors_total Number of scan errors
# TYPE themis_malware_scan_errors_total counter
themis_malware_scan_errors_total 2
# HELP themis_malware_bytes_scanned_total Total bytes scanned
# TYPE themis_malware_bytes_scanned_total counter
themis_malware_bytes_scanned_total 1073741824
# HELP themis_malware_scan_duration_ms_total Total scan time in milliseconds
# TYPE themis_malware_scan_duration_ms_total counter
themis_malware_scan_duration_ms_total 45678
Alle Scan-Ergebnisse werden im Audit-Log erfasst:
{
"timestamp": "2025-12-02T20:45:00Z",
"event_type": "MALWARE_SCAN",
"severity": "HIGH",
"content_id": "abc123",
"filename": "document.pdf",
"file_size": 1048576,
"file_hash": "sha256:abc...",
"scan_result": {
"clean": false,
"highest_threat": "HIGH",
"scanners_used": 2,
"scanners_detected": 1,
"total_duration_ms": 150,
"scanner_results": [
{
"scanner_name": "SignatureScanner",
"clean": true,
"threat_level": "CLEAN"
},
{
"scanner_name": "ClamAV",
"clean": false,
"threat_level": "HIGH",
"threat_name": "Win.Trojan.Generic",
"threat_category": "virus"
}
]
},
"action": "BLOCKED"
}# Mehrere Scanner kombinieren
enabled_scanners:
- SignatureScanner # Schnell, eingebaut
- ClamAV # Umfassende Signaturen# ClamAV Signaturen täglich aktualisieren
0 3 * * * /usr/bin/freshclam --quiet# Alerting bei hoher Erkennungsrate
alert: MalwareDetectionSpike
expr: rate(themis_malware_threats_detected_total[5m]) > 0.1
for: 5m
labels:
severity: critical
annotations:
summary: "Ungewöhnlich viele Malware-Erkennungen"Blockierte Dateien können für weitere Analyse aufbewahrt werden:
quarantine:
enabled: true
path: /var/themis/quarantine
max_age_days: 30Der EICAR-Test ist ein standardisierter, harmloser Malware-Test:
# EICAR-Testdatei erstellen
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.txt
# Upload testen (sollte blockiert werden)
curl -X POST http://localhost:8765/content/import \
-H "Content-Type: application/json" \
-d '{
"content": {
"id": "test-eicar",
"mime_type": "text/plain",
"filename": "eicar.txt"
}
}' \
--data-binary @eicar.txtErwartete Antwort:
{
"status": "error",
"message": "Content blocked: EICAR_Test (SignatureScanner)"
}Letzte Aktualisierung: Dezember 2025
Dokumentverantwortlicher: ThemisDB Security Team
ThemisDB v1.3.4 | GitHub | Documentation | Discussions | License
Last synced: January 02, 2026 | Commit: 6add659
Version: 1.3.0 | Stand: Dezember 2025
- Übersicht
- Home
- Dokumentations-Index
- Quick Reference
- Sachstandsbericht 2025
- Features
- Roadmap
- Ecosystem Overview
- Strategische Übersicht
- Geo/Relational Storage
- RocksDB Storage
- MVCC Design
- Transaktionen
- Time-Series
- Memory Tuning
- Chain of Thought Storage
- Query Engine & AQL
- AQL Syntax
- Explain & Profile
- Rekursive Pfadabfragen
- Temporale Graphen
- Zeitbereichs-Abfragen
- Semantischer Cache
- Hybrid Queries (Phase 1.5)
- AQL Hybrid Queries
- Hybrid Queries README
- Hybrid Query Benchmarks
- Subquery Quick Reference
- Subquery Implementation
- Content Pipeline
- Architektur-Details
- Ingestion
- JSON Ingestion Spec
- Enterprise Ingestion Interface
- Geo-Processor Design
- Image-Processor Design
- Hybrid Search Design
- Fulltext API
- Hybrid Fusion API
- Stemming
- Performance Tuning
- Migration Guide
- Future Work
- Pagination Benchmarks
- Enterprise README
- Scalability Features
- HTTP Client Pool
- Build Guide
- Implementation Status
- Final Report
- Integration Analysis
- Enterprise Strategy
- Verschlüsselungsstrategie
- Verschlüsselungsdeployment
- Spaltenverschlüsselung
- Encryption Next Steps
- Multi-Party Encryption
- Key Rotation Strategy
- Security Encryption Gap Analysis
- Audit Logging
- Audit & Retention
- Compliance Audit
- Compliance
- Extended Compliance Features
- Governance-Strategie
- Compliance-Integration
- Governance Usage
- Security/Compliance Review
- Threat Model
- Security Hardening Guide
- Security Audit Checklist
- Security Audit Report
- Security Implementation
- Development README
- Code Quality Pipeline
- Developers Guide
- Cost Models
- Todo Liste
- Tool Todo
- Core Feature Todo
- Priorities
- Implementation Status
- Roadmap
- Future Work
- Next Steps Analysis
- AQL LET Implementation
- Development Audit
- Sprint Summary (2025-11-17)
- WAL Archiving
- Search Gap Analysis
- Source Documentation Plan
- Changefeed README
- Changefeed CMake Patch
- Changefeed OpenAPI
- Changefeed OpenAPI Auth
- Changefeed SSE Examples
- Changefeed Test Harness
- Changefeed Tests
- Dokumentations-Inventar
- Documentation Summary
- Documentation TODO
- Documentation Gap Analysis
- Documentation Consolidation
- Documentation Final Status
- Documentation Phase 3
- Documentation Cleanup Validation
- API
- Authentication
- Cache
- CDC
- Content
- Geo
- Governance
- Index
- LLM
- Query
- Security
- Server
- Storage
- Time Series
- Transaction
- Utils
Vollständige Dokumentation: https://makr-code.github.io/ThemisDB/