Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.


Keep your server safe with ‘steamed clams’

To help keep your server secure, it’s a good idea to scan for viruses on uploaded files. This is when Steamed Clams comes in handy – this module scans for viruses in files you upload, or files already uploaded.

Read post

Steamed clams? Yes, you read that right. With some curly fries on the side, please?

There are hundreds of thousands of articles on security and safety. And a lot of them stress how important it is to never ever trust users. Not even your CMS users. 

To help keep your server secure (and protect your users at the same time), it’s a good idea to scan for viruses on uploaded files. This is when Steamed Clams comes in handy – this module scans for viruses in files you upload, or files already uploaded.


The tricky part of the module doesn't come from the module itself, but from having to make sure ClamAV is installed and available to your website user. Luckily, the ClamAV documentation and the documentation of the module are fairly easy to follow.

Once set up, you need to configure Steamed Clams to use the correct socket. It doesn’t really matter where the socket is, as you can configure it in your YML file.

In my case, on CentOS, this turned out to be:

LocalSocket: '/var/run/clamd.scan/clamd.sock'

Which is slightly different from what's in the module's readme.


Once set up, the module is a breeze. Your files are scanned on upload and will be blocked when a virus is detected.

Also, files that are uploaded via a has_one or has_many relation are neatly scanned and blocked if they contain a virus.


So much for a nice bit of ham on your sandwich

Furthermore, you can scan files that have already been uploaded via the ClamAV ModelAdmin. If files are in need of scanning, you can see that in the grid view.


From top to bottom: Service unavailable, clean file, virus detected

Files that were infected are indeed not on the server, so they’re also not downloadable by anyone. Neat!

When you happen to install this module on an existing website, it is, of course, a problem to scan all the files at once. This might take down your server due to load, or at the very best, slow it down.

To counter that problem, the module comes with a scheduled task (requiring the QueuedJobs module) that allows you to scan at a less stressing time for your site, e.g. at 3AM.

You can, of course, also run this task manually:

Test the results

To see what happens when you upload a virus, or when the service is temporarily available, the module comes with a mock scanner class to let you force a certain situation.

Versioned files and files uploaded to a CDN all work out of the box. All in all, I am pretty impressed by both the speed of this module in scanning and the added security it gives to your assets. I gave it a run for its money by having it scan over 1000 files varying from 50KB to 20MB, some of which contained the EICAR test so they were marked as malicious. It took a total of about 3 minutes to scan those.


I’m sorry, but none of the files above the fold were “infected”.


This is what a failure looks like on the task.

It is already namespaced and seems to work with SilverStripe 4 after a bit of adjusting, so that’s awesome.

If you need a little more security on the files uploaded to your website, especially if they are user content, give this module a spin. It’ll help you keeping your servers safe.

About the author
Simon Erkelens

Simon is a developer at SilverStripe. When not at work, he's writing other programs or focusses on one of his modules he wrote or co-wrote. Or writing new things.

As a real backend developer, he's usually staring at a dark screen with code only. Although every now and then, he can be convinced to work on some frontend things or testing.

In real life, he looks nothing like the cow in his avatar, but he does love cows (both alive and medium rare)

Post your comment


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments