Create 2020-07-01-2020-07-01-blob-malware-scanning.md

gitstua · gitstua · commit aba6f203a4e2 · 2020-07-01T20:53:16.000+10:00
diff --git a/_posts/2020-07-01-2020-07-01-blob-malware-scanning.md b/_posts/2020-07-01-2020-07-01-blob-malware-scanning.md
@@ -0,0 +1,30 @@
+---
+layout: post
+published: false
+title: 2020-07-01-blob-malware-scanning
+date: '2020-07-01'
+---
+## Malware scanner for secure upload of Blobs to Azure Storage
+
+### Problem statement
+Users can upload files to Azure blob storage for others to download.
+
+We don't want the files downloaded to contain Malware.
+
+### Solution
+![Diagram of storage, web app, vm]({{site.baseurl}}/img/blob-upload-malware2.png)
+1. User uploads a file to a web app
+1. Web app stores upload in container (named **quarantine**)
+1. Web app adds message to queue to request scan in [Azure Storage Queue](https://docs.microsoft.com/en-us/azure/storage/queues/storage-dotnet-how-to-use-queues?tabs=dotnet)
+1. VM reads message and download file
+1. VM scans for malware
+1. A malware check is completed and either
+  - If malware is found the file is moved to a container (named **malwarefound**) and deletes from quarantine
+  - If file scan is OK then the file is moved to a container (named **scannedok**) and deletes from quarantine
+1. Users of the application request download to web app
+1. web app returns file from **ScannedOK** container
+
+> Note: VM uses Managed Identity and KeyVault Policy to connect to KeyVault and request queue connection string and SAS tokens enabling read/write from containers 
+
+
+Source code link goes here
