blob-malware-scanning
Malware scanner for secure upload of Blobs to Azure Storage
Problem statement
Users can upload files to Azure blob storage for others to download.
We don't want the files downloaded to contain Malware.
Solution
- User uploads a file to a web app
- Web app stores upload in container (named quarantine)
- Web app adds message to queue to request scan in Azure Storage Queue
- VM reads message and download file
- VM scans for malware
- A malware check is completed and either
- If malware is found the file is moved to a container (named malwarefound) and deletes from quarantine
- If file scan is OK then the file is moved to a container (named scannedok) and deletes from quarantine
- Users of the application request download to web app
- web app returns file from ScannedOK container
Note: VM uses Managed Identity and KeyVault Policy to connect to KeyVault and request queue connection string and SAS tokens enabling read/write from containers
Source code on GitHub