How can an antivirus affect Artifactory?

Joey Naor
2021-02-08 16:09

Intro:
Antivirus (AV) software is crucial to prevent, detect, and remove malware from working environments. Some organizations have a strict policy which requires AV software to be installed on servers as well personal computers. 

Although AV’s have many advantages, this article will cover how it can negatively affect Artifactory, and what to look out for when implementing this type of solution in an Artifactory environment.

Scanning the filestore:
The issue with AV scans on an Artifactory filestore is that when a dangerous binary is detected and deleted from the filestore, Artifactory is not directly informed about the incident. This means that the Artifactory database will still have an entry for the deleted binary, even though it is absent from the filestore.

Although it is not recommended to scan the filestore with an AV, if this is absolutely required, the above issue can be addressed with two different automation approaches:

1. Automate a Delete REST API call to Artifactory after a dangerous binary is deleted. This can be done using a script which parses through the AV reports and executes a matching API call to Artifactory. Once the API call is sent, Artifactory will remove the DB entry for the deleted binary.
 
2. Use our “Filestore Integrity” user plugin in a regular rotation to reveal discrepancies between the Artifactory database and the filestore. When a discrepancy is found, parse through the information and automatically delete the relevant artifacts using the above REST API call.

Network-level restrictions:
Some AV’s have network-level restrictions for incoming and outgoing HTTP requests. It is possible that the AV will block certain requests due to false-positive triggers, which can disrupt builds and have major negative impacts on Artifactory.

To avoid the above scenario, consider whitelisting the relevant Artifactory/CI servers endpoints to make sure that your day-to-day work will not be disrupted by the AV.

Artifactory binaries:
There’s a small chance that a rigorous AV would detect Artifactory or one of its components as dangerous (artifactory.sh or artifactoryctl for example). Severe damage can be caused if any of these files are deleted or if processes are killed.

The best approach would be to whitelist the Artifactory root directory, preventing it from being scanned or deleted.

Final Words:
To conclude, when implementing a new software that could affect Artifactory in the ways described above, it is very important to make sure that the software has restricted access to important endpoints, and that no extreme actions are performed in a case where dangerous behavior is detected. It is also advised to consult the AV vendor on how to perfectly tune their software to align with Artifactory.