Our concern while running Jira and Confluence today: No antivirus measure…

“There is no provision for antivirus capability within Atlassian Confluence and Jira. Antivirus measures available are managed as a batch process overnight – not real-time as you might expect. Platform may hold documents / files which may contain unwanted code or malware which would be distributed unchecked.”

Could you please advise your recommendation with regard to antivirus so I can get back with our IT – either to budget for it, or with an explanation (for tech people) as to why it’s not required.

Thanks so much.

• We recommend to secure the devices that are vulnerable to viruses. That’s efficient and best practice. So you install a Anti Virus software on a Windows PC. Apple and Linux devices (very, very) rarely have viruses at all. But there are anti virus software for these devices as well. All of these solutions are cheap.
• It is possible to scan for viruses on the server. But this has a lot of significant downsides:
  • It costs a lot of money as such server licenses for anti virus software tend to be super expensive.
  • The server is not vulnerable itself. We are taking care of this. You are protecting at the wrong place. Even if this protection is super high. You still have to protect the client devices with the same high security measures.
  • As you have to protect the client devices either way. Putting an anti virus on the server is a waste of money in my humble opinion.
• If you want to scan your Confluence for viruses there are two ways:
  • You can scan in the background on the server periodically. This includes the problem that files that are instantly uploaded and then executed by someone else may not be part of the security interval.
  • You can scan every file right after uploading. Confluence will then break and be unusably slow. Your IT team surely does not do this in their internal system.
• For the whole anti virus discussion I would like to pass back the question to your IT team. How do they protect the server from viruses today? Do they follow our practice of not using a server side measurement at all? How come this new instance now shall have that? If they use a way, which way is it? Can we use the same licenses and the same measures on our systems? What is their recommendation here?
• There is a simple solution that we can offer to Bath Spa University if you just want to “check the AV box”. We can install the open source software ClamAV on your server and run that periodically. There are no licensing cost. The initial cost to put that configurably into our infrastructure as a server (AKA on your machine) will be a one-time fee (Please contact us.). We’ll then have to see if there are any performance downsides that will need a bigger server and thus more monthly costs, but we doubt it at this point. The challenge with this solution is, that ClamAV has not the best reputation for getting the meanest viruses the fastest. It could be, that added security by this measure is not justifying the spending. But you can decide that internally.

I hope that this helps. It’s an unfortunate discussion with no distinct answer. Our recommendation (as of now) is to do nothing.

I hear from my colleague Benjamin that we have built a solution for SOPHOS, an enterprise-ready anti virus as well. It’s a script, that put’s affected files into Confluence trash to make sure, they do not leave dead links after deletion. We call that solution Sophulence. It’s not publicly available but only through us.

If all devices run malware protection, it might be good enough. But I see scenarios where a closer look reveals security risks. Scanning all attachments in Confluence and Jira for malware, viruses, worms, and trojans limits the risk:

1. Automated processing of files: Jira/Confluence or an app/automation might process the uploaded file in some by working with the content. There have been issues in XML parsing libraries, PDF libs, etc. that cause serious harm.
2. External suppliers upload/download files: Jira/Confluence is used to collaborate with external suppliers. Think of suppliers using your Jira to track the progress of a project or your Confluence to document their work. Attachments move between your “trusted”/secure and the untrusted world in those scenarios. Your suppliers might or might not have the latest malware protection in place.
3. Distributing malware to end-users: Confluence can distribute documentation to end-users. Your company likely wants to be someone other than the one distributing malware accidentally (there are services scanning websites for malware for that reason).
4. External end-users upload/download attachments: When using Jira Service Management, external end-users create attachment issues. Your support reps might upload files as well. How can you ensure that no malware enters or leaves your organization? Relying on the last defense row (the support rep device) is a risk worth discussing.

In 2015, we started developing an antivirus solution for Amazon S3 that has been growing ever since. We recently ported the solution to Confluence Cloud (with Jira Cloud coming in the next week or so). attachmentAV scans your Jira and Confluence attachments and detects malware in real-time.

I’d appreciate hearing your feedback.

Do you have an app in the Atlassian marketplace?

Sorry for the late reply… yes we do:

• attachmentAV for Jira
• attachmentAV for Confluence