WebCenter Content Virus Scanning
This document describes how to manage and use virus scanning of files in Oracle WebCenter Content.
Overview
WebCenter Content (on Marketplace) supports virus scanning feature via a new component called VirusScanIntegration. WebCenter Content utilizes ClamAV to scan files as they are checked into the application. When virus scanning is enabled, WebCenter Content will scan all files being uploaded along with any files being downloaded that have not been previously scanned.
Manage Virus Scanning
The VirusScanIntegration component is disabled by default.
Steps to enable:
- Log into /cs ui as user with admin role
- Navigate to Administration, Admin Server, Component Manager
- Click the advanced component manager link on the page
- Check the Show System Components checkbox
- In the Disabled Components list, select the VirusScanIntegration component, and click Enable
- Ensure the BulkActions and RestImplementation components are enabled, as they are both required by the VirusScanIntegration component.
- Restart all UCM Servers
ClamAV
ClamAV is installed out of the box with WebCenter Content (Newly provisioned or patched stacks with 25.3.1 and onwards). ClamAV configuration file is located at /u01/app/clamav/clamd.conf. The ClamAV virus database needs to be initialized and kept up to date by running freshclam on a regular basis. The configuration file for freshclam is located at /u01/app/clamav/freshclam.conf. To change any configuration settings for ClamAV and freshclam, you will need to modify them in the conf files.
Documentation on starting up ClamAV service and refreshing db - ClamAV Antivirus Service for WebCenter Content
Default Directories
clamd.conf
- LogFile /u01/data/domains/logs/clamav/clamd.log
- LocalSocket /u01/data/domains/logs/clamav/clamd.sock
- DatabaseDirectory /u01/app/clamav/lib/clamav
freshclam.conf
- UpdateLogFile /u01/data/domains/logs/clamav/freshclam.log
- DatabaseDirectory /u01/app/clamav/lib/clamav
ClamAV source code is provided at the default location /u01/app/oracle/middleware/clamav/clamav-1.0.7.tar.gz
Virus scanning can fail in the following cases:
- If a file is infected.
- If a file is password protected or encrypted and cannot be scanned.
- If the virus scan engine is unavailable.
- If a file (such as a zip file) contains folders that have a folder depth exceeding 10 levels.
- If a file that contains other files takes longer than 3 minutes to scan.
- If a single file inside a containing file is larger than 100 MB.
If virus scanning fails, the file will not be allowed to be uploaded. If the file is already in the application, it will be marked as infected, and not allowed to be downloaded.
Allow upload of files that can’t be scanned:
If you want users to be able to upload files that can’t be scanned to check for viruses, such as password protected, encrypted files or the scanning engine is unavailable, set the configuration setting AllowCleanFilesOnly to false using the instructions below. AllowCleanFilesOnly is currently set to true by default. Only the first 4 GB of a file are scanned for viruses, though larger files can still be uploaded.
If you enabled upload of unscanned files, additionally we allow for users to report false positives. Users can email an administrator if they believe a file has been falsely marked as infected. They can request an administrator add it to the false positive list. If the administrator determines the file is safe for upload/download, they enter the checksum value into the false positive configuration value to ignore, separating each value with a new line. The virus scan results for these files will be ignored. After entering the checksum value, the administrator should ask the user to upload/download the file again.
WARNING: If you enable this option, it’s at your own risk, and you bear all liability for any resulting damages. If you allow unscanned files to be uploaded, it might create risk to you or other users. While the WebCenter Content interface will mark files that have not been scanned, this visual indicator will not be available in all interfaces, and users might not have any notice that one or more files were not virus scanned. Also, if a file doesn’t pass virus scanning, it can’t be downloaded through a public link.
Asynchronous Scanning
If asynchronous scanning is enabled, files that fit the requirement for asynchronous scanning will be set as scan requested and an asynchronous job will be created for the file to be scanned in the background.
Files qualifying for asynchronous scanning will not be full text indexed or converted until they have been scanned and marked clean.
If the AllowCleanFilesOnly option is set true and the file is marked as infected/encrypted/unable to be scanned, the system will send an email to the owner of the file to notify them that the file has been rejected, and the file will be permanently deleted from the system.
If the AllowCleanFilesOnly option is set to false and the file is marked as encrypted or unable to be scanned, the file will be allowed into the system. Files marked as infected will still be permanently deleted from the system and an email will be sent to the owner unless the file has been added to the false positive list.
About Component Configuration
The VirusScanIntegration component provides the following configuration settings.
To set or modify any of the configuration settings:
- Log into /cs ui as user with admin role
- Navigate to Administration, Admin Server, General Configuration
- Add or modify the appropriate configuration setting(s) in the Additional Configuration Variables section
- Restart all UCM Servers
Required Virus Scanning Configuration Settings
| Name | Description | Default |
|---|---|---|
| AntiVirusEnabled | Whether virus scanning is enabled. | true |
| AntiVirusHostName | Host name of virus scanning engine | localhost |
| AntiVirusPort | Port of virus scanning engine | 3310 |
Optional Virus Scanning Configuration Settings
| Name | Description | Default |
|---|---|---|
| AllowCleanFilesOnly | Determines whether clean files are required. Encrypted files may return with a status of encrypted and will not be allowed to be checked-in if option is set to true. | true |
| VirusFalsePositiveListConsulted | Determine if infected file should be checked against False Positive List | false |
| VirusFalsePositiveList | List of False Positive files | |
| IncludeVirusScanAdminMailToWithVirusEmail | Whether or not we should include the Admin email in infected file notification emails. | false |
| VirusScanAdminMailToEmailAddress | Admin email to be included in infected file notification emails | |
| ClamAVStreamMaxLengthHardLimit | Maximum file size for full ClamAV scan | 2 gb |
| AntiVirusScanServerTimeout | Connection timeout in milliseconds | 10000 |
| AntiVirusScanServerSoTimeout | Socket timeout in milliseconds | 10000 |
| AntiVirusAsyncEnabled | Whether asynchronous scanning is enabled | true |
| AntiVirusAsyncMinFileSize | Minimum file size for asynchronous scanning to be used | 1 mb |
| AntiVirusAsyncMinFileSizeOffice | Minimum file size for MS Office files for asynchronous scanning to be used | 10 mb |
| AntiVirusAsyncScanOfficeExtentions | List of Office file extensions used for asynchronous scanning | doc,docx,dot,dotx,docm,dotm,xls,xlsx,xlt,xltx,xlm,xlsm,xltm,ppt,pptx,pot,potx,potm,pdf |
| AnitVirusAsyncScanArchiveExtensions | List of file extensions considered as archive files | zip,7z,bz,gz,xz,cab,exe,jar,tar,tgz |
Scan Flag and Status Values
| Scan Flag Value | Scan Status |
|---|---|
| 0 | UNSCANNED |
| 1 | SCANNED |
| 2 | SUCCESSFUL |
| 3 | CLEAN |
| 4 | PARTIAL |
| 8 | REQUESTED |
| 16 | ENCRYPTED |
| 32 | ENCRYPTED_PDF |
| 64 | ENCRYPTED_ARCHIVE |
| 128 | FALSE_POSITIVE |
Virus Scan Customizing
WCC offers a virus scanning feature that allow customers to bypass file scanning during uploads under certain circumstances. When uploading from a trustworthy source, WCC can skip scanning and assign a valid scan flag to the file. WCC allows for the creation of customized Idoc scripts that set the scan flag for items being uploaded. By incorporating the dynamic HTML include ‘pre_upload_file_scan’ into a custom component, the server can determine if scanning is necessary for uploaded files. The property ‘scanFlag’ must be set to a valid scan flag value to override the scan.
The following example illustrates how to check the uploader’s user role; the file can be marked as clean (and skipping the scanning process) if the user has the specific WCC role.
<@dynamichtml pre_upload_file_scan@>
<$if (strIndexOf(UserRoles, "customrole") >= 0 ) $>
<$scanFlag=3$>
<$endif$>
<@end@>Managing and Using Virus Scanning in Oracle WebCenter Content
G27890-03
Last updated: May 2025
Copyright © 2025, Oracle and/or its affiliates.
Primary Author: Oracle Corporation