Our concern while running Jira and Confluence today: No antivirus measure…
“There is no provision for antivirus capability within Atlassian Confluence and Jira. Antivirus measures available are managed as a batch process overnight – not real-time as you might expect. Platform may hold documents / files which may contain unwanted code or malware which would be distributed unchecked.”
Could you please advise your recommendation with regard to antivirus so I can get back with our IT – either to budget for it, or with an explanation (for tech people) as to why it’s not required.
Thanks so much.
I hear from my colleague Benjamin that we have built a solution for SOPHOS, an enterprise-ready anti virus as well. It’s a script, that put’s affected files into Confluence trash to make sure, they do not leave dead links after deletion. We call that solution Sophulence. It’s not publicly available but only through us.
If all devices run malware protection, it might be good enough. But I see scenarios where a closer look reveals security risks. Scanning all attachments in Confluence and Jira for malware, viruses, worms, and trojans limits the risk:
Automated processing of files: Jira/Confluence or an app/automation might process the uploaded file in some by working with the content. There have been issues in XML parsing libraries, PDF libs, etc. that cause serious harm.
External suppliers upload/download files: Jira/Confluence is used to collaborate with external suppliers. Think of suppliers using your Jira to track the progress of a project or your Confluence to document their work. Attachments move between your “trusted”/secure and the untrusted world in those scenarios. Your suppliers might or might not have the latest malware protection in place.
Distributing malware to end-users: Confluence can distribute documentation to end-users. Your company likely wants to be someone other than the one distributing malware accidentally (there are services scanning websites for malware for that reason).
External end-users upload/download attachments: When using Jira Service Management, external end-users create attachment issues. Your support reps might upload files as well. How can you ensure that no malware enters or leaves your organization? Relying on the last defense row (the support rep device) is a risk worth discussing.
In 2015, we started developing an antivirus solution for Amazon S3 that has been growing ever since. We recently ported the solution to Confluence Cloud (with Jira Cloud coming in the next week or so). attachmentAV scans your Jira and Confluence attachments and detects malware in real-time.
I’d appreciate hearing your feedback.
Do you have an app in the Atlassian marketplace?
Sorry for the late reply… yes we do: