SendSafely

Articles in this section

Actions Library: OPSWAT AV Scanner

Follow

Overview

This Action uses the OPSWAT Metadefender API to scan decrypted SendSafely package contents for malicious content. Packages containing malicious content can then be blocked or otherwise handled accordingly, and the appropriate stakeholders notified. 

To request the template for this Action example, please reach out to your SendSafely account rep. 

Please note that this Action requires access to the contents of SendSafely packages, and thus must be configured with a Portal Master Key.

Screenshot 2025-01-16 at 3.22.19 PM.png

Setup Instructions

1. Deploy the Lambda

To deploy the Lambda, you'll need the following permissions in AWS:

  • Create a new Lambda Function
  • Create a new AWS Secret (AWS Secrets Manager)
  • Define a custom IAM Role for the Lambda function

Follow these steps:

  1. In AWS, navigate to CloudFormation and click Create stack, then select "With new resources (standard)" from the dropdown.
  2. Under Template source, select "Upload a template file," then click Choose file and select the  YAML file provided by your SendSafely account rep.
  3. Click Next. Name the stack, e.g., "OPSWATMetadefenderAVAction," then click Next.
  4. Click the three checkboxes at the bottom of the page, then click Next.
  5. Click Submit.
  6. Wait for the Stack's status to change from "CREATE_IN_PROGRESS" to "CREATE_COMPLETE." 

2. Update Secrets Manager

You will need to update two Secrets generated by this deployment:

  1. AV_OpSwat_Private_Key
  2. AV_OpSwat_Config

AV_OpSwat_Private_Key

Click on this Secret in Secrets Manager, click Retrieve secret value, and click Edit. Here, paste the full text of the private key, including the opening and closing tags:

------BEGIN PGP PRIVATE KEY BLOCK-----
------END PGP PRIVATE KEY BLOCK-----

Click Save.

AV_OpSwat_Config

Click on this Secret in Secrets Manager, click Retrieve secret value, and click Edit. Provide the following secret values:

  • opswat.saas.apiKey, from OPSWAT
  • opswat.saas.apiHost, from OPSWAT
  • sendsafely.api,key
  • sendsafely.api.secret
  • sendsafely.public.key.id, from your Master Key (the SendSafely Support team will provide you this ID when you submit them the public key)

Click Save.

3. Create a new Workflow

As an admin logged into your SendSafely portal, click the circle containing your initials in the top-right corner of the screen and select SendSafely Actions. Here, click New Workflow.

4. Choose the trigger event

At the time of this writing, the Actions framework supports two trigger events: "A file is uploaded to a Workspace" or "A package is finalized." If you wish to perform this Action on both events, you'll need to go through this process twice, setting up two Workflows: one for each event.

Screenshot 2025-01-16 at 11.56.57 AM.png

5. Decide whether this Workflow will apply to a specific user's packages

This Workflow, by default, will apply to all packages portal-wide. To limit its scope to packages owned by a specific user:

  1. Click the plus button and select Add an Event Filter.
  2. From the Criteria dropdown, select Package Owner Email.
  3. From the Operator dropdown, select equals.
  4. In the Value input, type the email of the user in question and click Save.

Screenshot 2025-01-16 at 11.57.21 AM.png

6. Add the Actions 

Three Actions comprise this Workflow. We will add them one at a time.

Action 1.

First, we'll block the package or file, preventing your recipients from accessing its contents.

  1. Click the plus button and select Add an Action.
  2. From the Action dropdown, select Block Package (or, if the trigger event is "A file is uploaded to a Workspace, Block File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Screenshot 2025-01-16 at 12.20.03 PM.png

Action 2.

Next, we'll invoke the webhook of the Lambda, which will use the Master Key to decrypt the package or file's contents, pass them to the OPSWAT Metadefender API for analysis, and return a verdict.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Invoke an External Webhook.
  3. From the Notification dropdown, select Notify on False, or Timeout.

Retrieve the AVScanningWebhookUrl from the Outputs tab of the relevant Stack in CloudFormation, then paste it into the input in SendSafely and click Save.Screenshot 2025-01-16 at 12.22.25 PM.pngNote: If at any point, you need to access the action secret for this Action, click the text that says "Click here to view the action secret," then click Copy.

Action 3.

Last, we'll unblock the package or file, rendering its contents available to its recipients.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Unblock Package (or, if the trigger event is "A file is uploaded to a Workspace, Unblock File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Screenshot 2025-01-16 at 12.24.49 PM.png

Add Action Filter.

We'll now add an Action Filter to this 3rd Action, so that it only runs if the 2nd Action succeeds. Packages or files deemed clean by the OPSWAT Metadefender API will be unblocked, whereas packages or files deemed dirty will remain blocked.

  1. Click Add Action Filter.
  2. From the Criteria dropdown, select Action Step 2 Result.
  3. From the Operator dropdown, select Equals.
  4. From the Value dropdown, select True.

Screenshot 2025-01-16 at 12.38.26 PM.png

Action 4 (Optional).

If the OPSWAT Metadefender API determines that a package contains malware, you may wish to delete that package automatically.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Delete Package (or, if the trigger event is "A file is uploaded to a Workspace, Delete File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Screenshot 2025-01-21 at 1.30.47 PM.png

Add Action Filter.

We'll now add an Action Filter to this 4th Action, so that it only runs if the 2nd Action fails. Packages or files deemed dirty by the OPSWAT Metadefender API will be deleted.

  1. Click Add Action Filter.
  2. From the Criteria dropdown, select Action Step 2 Result.
  3. From the Operator dropdown, select Equals.
  4. From the Value dropdown, select False.

Screenshot 2025-01-21 at 1.31.38 PM.png

7. Activate the Workflow

At the top of the page, click the toggle next to the text "Disabled" to enable the Action. The text will change from "Disabled" to "Live.

Screenshot 2025-01-16 at 12.40.17 PM.png

8. Test the Workflow

Now that we've activated the Workflow, let's trigger it. If the triggering event is "A package is finalized," we'll make a Dropzone submission or create a Transfer package. If the triggering event is "A file is uploaded to a Workspace," we'll upload a file to a Workspace.

If the OPSWAT Metadefender API determines that the package or file that triggered the Action is dirty, it will remain blocked. If the OPSWAT Metadefender API determines that the package or file that triggered the Action is clean, it will be unblocked and rendered accessible to its intended recipients.

Screenshot 2025-01-29 at 12.12.20 PM.png

Related articles

Comments

0 comments

Please sign in to leave a comment.