Malware scanner for secure upload of Blobs to Azure Storage

Problem statement

Users can upload files to Azure blob storage for others to download.

We don’t want the files downloaded to contain Malware.

Solution

Diagram of storage, web app, vm

  1. User uploads a file to a web app
  2. Web app stores upload in container (named quarantine)
  3. Web app adds message to queue to request scan in Azure Storage Queue
  4. VM reads message and download file
  5. VM scans for malware
  6. A malware check is completed and either
    • If malware is found the file is moved to a container (named malwarefound) and deletes from quarantine
    • If file scan is OK then the file is moved to a container (named scannedok) and deletes from quarantine
  7. Users of the application request download to web app
  8. web app returns file from ScannedOK container

Note: VM uses Managed Identity and KeyVault Policy to connect to KeyVault and request queue connection string and SAS tokens enabling read/write from containers

Source code on GitHub