FrankenClam for Windows (ClamWin/ClamAV and Yara)

FrankenClam for Windows (ClamWin/ClamAV and Yara)

This guide is for piecing together an opensource solution to trigger AV + macro detection upon files upload within web applications.

Installed Software:
http://www.clamwin.com/content/view/249/1/
https://www.python.org/downloads/release/python-371/
https://github.com/VirusTotal/yara/archive/v3.8.1.zip
https://github.com/zuphzuph/FrankenClam

I've included Python and Yara because ClamWin/AV doesn't do macro detection by default and the last thing you want is something nasty being passed around within your application. With these two pieces added, you're able to flag macros within uploaded files and quarantine. ClamWin keeps the .dat file up to date and you can set when you'd like to pull signatures.

With these all installed, we need to ensure clamd.exe is constantly running. In order for this to occur it's recommended you install it as a Windows service:

Open CMD
cd to C:\Program Files (x86)\ClamWin\bin
Run clamd.exe --install
Open Services.msc and set "ClamWin Free Antivirus Scanner Service" to Automatic (Delayed Start)

You'll need to point your web app at: C:\Program Files (x86)\ClamWin\bin\clamdscan.exe

Regex Used:

(?<=Infected\sfiles:\s[0])
"{0}"