The OWASP CRS has a rules file for av scanning - 
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/optional_rules/modsecurity_crs_46_av_scanning.conf

For the @inspectFile operator you pass it a script or program that runs a local AV program.  See example scripts here -
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning

--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

On Feb 21, 2013, at 3:28 PM, "Rosamond, Rob" <Rob.Rosamond@seattlecolleges.edu> wrote:

I'm working on configuring mod_security on Apache and have it up and running just fine. The next step is to implement a ruleset in conjunction with a scanner which can intercept or quarantine bad files when POSTed. 

We're looking at using rules produced by Atomic (https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#05_asl_scanner.conf is the specific ruleset) and they recommend using ClamAV, which there is an Apache module for (http://software.othello.ch/mod_clamav/) but I can't seem to find one built for Windows, nor have I had any luck building it myself (I've tried using NMAKE.EXE, but there doesn't seem to be a compatible .mak file included with the mod_clamav package... I also do not really know what I'm doing when it comes to building an Apache module!). At the bottom of the mod_clamav page they mention users reporting difficulty performing Windows Updates with this module which might falsely lead you to believe somebody has it working in a Windows Apache environment, but researching further this is actually in reference to using Apache2 on Debian as a proxy for Windows machines (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=277787). 

I'm not married to ClamAV (ClamWin, really)... just looking for a way of integrating malware/virus scanning with mod_security. 

Am I going about this in the wrong direction, has anybody done this before, or am I S.O.L. without using a Unix box for Apache? 

Thanks for any guidance you can provide! BTW, this is for a community college system and therefore non-commercial in nature. 

Current production systems: 
Apache/2.2.23 (Win32) 
mod_ssl/2.2.23 OpenSSL/0.9.8x 
PHP 5.2.17 
MySQL 5.6.10 (offloaded to dedicated db servers) 
Windows Server 2003 Enterprise, SP2 

(We are concurrently working on our next-generation server configs with PHP 5.4.11 and Apache 2.4.3 on win32.)
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.