Inside the antivirus for Virusday sites - Part 1
In this article and the subsequent publications of the cycle, we will talk about the internal structure of the anti-virus for Virusday sites, the chosen approaches and the technologies used.
We have already written about the possibilities of service in previous posts. Today we will tell about its common architecture. You will learn how Virusday works with sites (servers) of users, why we chose such a principle of building a service and what advantages it provides, as well as how safe it is.
')
Our task was to create a convenient and effective service for the treatment and protection of sites from viruses and attacks. It was decided to implement the project in the form of SaaS, or more simply, as a web service.
Indeed, today all the most convenient tools are provided to people in the form of applications and web services. It is convenient to work with them, they save time.
Thus, architecturally Virusday is a centralized system that interacts with the users' servers (sites) connected to it.
In other words, users can work with their sites (manage the functions of the Virusday service: antivirus, firewall, etc.) through the service’s web interface.
Remote file management on user servers allows you to edit files and some settings; It gives the opportunity to provide people with various specialized services, for example, the treatment (editing) of files from malicious code or the installation of a protection system (firewall). In this case, there is always a two-way communication between the user’s server and the Virusall.
So, now let's consider how Virusday communicates with user servers.
To connect to the service, just place one * .PHP file (synchronization file) in the root directory of the site. The file is unique for each user, its fragment is shown below (you can receive your personal synchronization file by logging in to the Virusday service).
All site operations (scanning, disinfection, installation and management of the firewall, obtaining the data necessary for the operation of the system, etc.) occur through interaction with this file. A person simply connects his sites to the service and then carries out all operations with them, being in the Virusaday control panel.
All operations with the user's sites are made through the synchronization file via HTTP requests. In response to the requests received from the Virusay service, the synchronization file loads the programs from our servers (if necessary) and performs the appropriate actions, producing in response the result of their execution.
This approach allows you to solve a lot of problems associated with the constant updating of programs on the user's sites. It also allows you to create a centralized management system for multiple sites located on different servers. When working with each site (server), a lot of time is saved separately, and the load is distributed.
There are quite a few services in the world that exchange data with servers via FTP or SSH, however, we chose HTTP and that is why we did it. With this approach, file operations can be performed directly on the user's server. In this case, the load during the execution of programs is distributed to the users' servers; There is no need every time to download files from user servers for analysis, which saves traffic in huge amounts. In addition, most sites on the network use the HTTP protocol and support PHP, so using HTTP + PHP is the most universal way to interact with them.
The chosen approach is not just universal enough, but also convenient and easy for users of the service. A person may not understand the technical details of the system or the settings of their own servers. The only thing that is required of the user is to add the site to his list and place the synchronization file in the root of the site on his server.
Uploading a file to the site root is an easy operation, available to most webmasters and site owners. We pay special attention to the ease of use of the service, and connecting the site to the virus in this way is simple and understandable.
Of course, security issues play an important role in any project or system. In our service we pay special attention to this direction.
When Virusad interacts with user servers, several levels of protection are used. These are HTTPS when the user works with the service, and a unique synchronization file that is generated for each user individually, and digital signatures.
Each interaction with the synchronization file requires a unique digital signature and an active session. This allows you to not miss unauthorized requests to the file. At the same time, even if you intercept the request, it will not be possible to repeat it with the same success, since this will require a new digital signature.
Now, having talked about the general architecture of the service, we will be able to elaborate on each section of the Virusoun device in the following publications of this cycle.
We have already written about the possibilities of service in previous posts. Today we will tell about its common architecture. You will learn how Virusday works with sites (servers) of users, why we chose such a principle of building a service and what advantages it provides, as well as how safe it is.
')
General Service Architecture
Our task was to create a convenient and effective service for the treatment and protection of sites from viruses and attacks. It was decided to implement the project in the form of SaaS, or more simply, as a web service.
Indeed, today all the most convenient tools are provided to people in the form of applications and web services. It is convenient to work with them, they save time.
Thus, architecturally Virusday is a centralized system that interacts with the users' servers (sites) connected to it.
In other words, users can work with their sites (manage the functions of the Virusday service: antivirus, firewall, etc.) through the service’s web interface.
Remote file management on user servers allows you to edit files and some settings; It gives the opportunity to provide people with various specialized services, for example, the treatment (editing) of files from malicious code or the installation of a protection system (firewall). In this case, there is always a two-way communication between the user’s server and the Virusall.
So, now let's consider how Virusday communicates with user servers.
How Virusay interacts with user servers
To connect to the service, just place one * .PHP file (synchronization file) in the root directory of the site. The file is unique for each user, its fragment is shown below (you can receive your personal synchronization file by logging in to the Virusday service).
Synchronization File Fragment
<?php ( /* HMAC / CTR validation */ ( /* Check HMAC format */ (strlen(SVC_MAC) == 32) || ($e = ERR_CHMAC) && 0 ) && ( /* Calculate and validate HMAC */ /* Try hash_hmac() */ (is_callable($_ = 'hash_hmac') && !strcmp($_('md5', SVC_MACDATA, SVC_CKEY.':'.SVC_CTR), SVC_MAC)) || /* Try mhash() */ (is_callable($_ = 'mhash') && defined('MHASH_MD5') && !strcmp(bin2hex($_(MHASH_MD5, SVC_MACDATA, SVC_CKEY.':'.SVC_CTR)), SVC_MAC)) || /* Internal HMAC realization */ ( ($_ = str_pad((strlen(SVC_CKEY.':'.SVC_CTR) > 64) ? md5(SVC_CKEY.':'.SVC_CTR, TRUE) : SVC_CKEY.':'.SVC_CTR, 64, "\x00", STR_PAD_RIGHT)) && !strcmp(md5(($_ ^ str_repeat("\x5c", 64)).md5(($_ ^ str_repeat("\x36", 64)).SVC_MACDATA, TRUE)), SVC_MAC) ) || ($e = ERR_CHMAC) && 0 ) && ( /* Validate CTR request counter */ strlen(SVC_CTR) && (($_ = is_file(SVC_CDIR.'/.ctr') ? @file_get_contents(SVC_CDIR.'/.ctr', 0, NULL, -1, strlen(SVC_CTR)).'' : '') || 1) && (strlen($_) <= strlen(SVC_CTR)) && (strcmp(SVC_CTR, str_pad($_, strlen(SVC_CTR), '0', STR_PAD_LEFT)) > 0) || ($e = ERR_CHMACCTR) && 0 ) && (define('SVC_MACOK', 1) || 1) ) && ( /* Get script */ ( /* Get from cache */ strlen(SVC_CRC) && is_file(SVC_CPHP) && (define('SVC_CACHED', 1) || 1) ) || ( /* Get from CDN */ /* Download */ ((is_string($rr = @file_get_contents(SVC_QCDN, 0, $svcContext))) || ($e = ERR_C2CDN) && 0) && /* Validate */ (strlen($rr) || ($e = ERR_CDATA) && 0) && /* Check CDN status code */ ((strlen($rr) != 3) || (!is_numeric($rr)) || ($e = (int)$rr) && 0) && ( /* Unpack script */ SVC_CGZIP ? ((is_string($rd = @gzinflate($rr)) && strlen($rd)) ? 1 : (($e = ERR_CDATA) && 0)) : (($rd = &$rr) || 1) ) && ( /* Store script */ (@file_put_contents(SVC_CPHP, $rd) === strlen($rd)) || ($e = ERR_CWRITE) && 0 ) && (define('SVC_CACHED', 0) || 1) ) ) && ( /* Include script */ is_file(SVC_CPHP) && is_readable(SVC_CPHP) && (SVC_CACHED && @touch(SVC_CPHP) || 1) && ($_ = (include ('./'.SVC_CPHP))) || ($e = ERR_CINCLUDE) && 0 ) && ( /* Check script return code */ !(is_numeric($_) && (strlen($_.'') == 3)) || ($e = (int)$_) && 0 ) || ( /* Client auto update */ ($e && in_array($e, array(ERR_CEUPD, ERR_NCVER))) && (is_string($rr = @file_get_contents(SVC_QUPD, 0, $svcContext))) && (strlen($rr)) && (substr($rr, 0, 5) == '<'.'?'.'php') && (strpos($rr, "('SVC_CVER',".SVC_CLV.")") !== FALSE) && (strpos($rr, SVC_CKEY) !== FALSE) && ( /* Store client file */ (is_writable($_ = SVC_CFILE) || chmod($_, 0644)) && (@file_put_contents($_, $rr) === strlen($rr)) || ($e = ERR_CWRITE) && 0 ) && ($e = ERR_CUPDATED) && 0 ) All site operations (scanning, disinfection, installation and management of the firewall, obtaining the data necessary for the operation of the system, etc.) occur through interaction with this file. A person simply connects his sites to the service and then carries out all operations with them, being in the Virusaday control panel.
All operations with the user's sites are made through the synchronization file via HTTP requests. In response to the requests received from the Virusay service, the synchronization file loads the programs from our servers (if necessary) and performs the appropriate actions, producing in response the result of their execution.
This approach allows you to solve a lot of problems associated with the constant updating of programs on the user's sites. It also allows you to create a centralized management system for multiple sites located on different servers. When working with each site (server), a lot of time is saved separately, and the load is distributed.
Pluses of communication through the synchronization file
There are quite a few services in the world that exchange data with servers via FTP or SSH, however, we chose HTTP and that is why we did it. With this approach, file operations can be performed directly on the user's server. In this case, the load during the execution of programs is distributed to the users' servers; There is no need every time to download files from user servers for analysis, which saves traffic in huge amounts. In addition, most sites on the network use the HTTP protocol and support PHP, so using HTTP + PHP is the most universal way to interact with them.
The chosen approach is not just universal enough, but also convenient and easy for users of the service. A person may not understand the technical details of the system or the settings of their own servers. The only thing that is required of the user is to add the site to his list and place the synchronization file in the root of the site on his server.
Uploading a file to the site root is an easy operation, available to most webmasters and site owners. We pay special attention to the ease of use of the service, and connecting the site to the virus in this way is simple and understandable.
Security questions
Of course, security issues play an important role in any project or system. In our service we pay special attention to this direction.
When Virusad interacts with user servers, several levels of protection are used. These are HTTPS when the user works with the service, and a unique synchronization file that is generated for each user individually, and digital signatures.
Each interaction with the synchronization file requires a unique digital signature and an active session. This allows you to not miss unauthorized requests to the file. At the same time, even if you intercept the request, it will not be possible to repeat it with the same success, since this will require a new digital signature.
Now, having talked about the general architecture of the service, we will be able to elaborate on each section of the Virusoun device in the following publications of this cycle.
Source: https://habr.com/ru/post/261039/
All Articles