Virus scanning of uploaded files

I’m currently looking into integrating Discourse with our existing web systems to provide a discussion forum for our site’s users. One of the requirements of our platform is that all uploaded files are checked for viruses prior to being made available for anyone to download.

Looking through the documentation, I can’t see any way to configure Discourse to use a virus scanner on uploaded files. Am I missing something?


Discourse doesn’t have such feature. You’d have to build a plugin to scan uploaded files for viruses.


Has anyone built such a plugin?

1 Like

Not that I am aware of.

1 Like

I am also interested in this question.

Locally - this is clamav, calling ruby gem.


Found a suitable plugin?

As far as I know there is no virus scanning plugin for Discourse.


Any updates on this topic since last year?

This would be an additional monthly fee on enterprise hosting. Did you wish to add this feature? If so contact our support channels to inquire.


I’m having the same issue in my organization but we are not authorized to do enterprise hosting. I am told the site will be shutdown if we do not find a solution.
Where are the files uploaded in Discourse and could an install on AWS leverage antiviruses to scan these locations in real time?

If upload scanning is a requirement and Enterprise hosting is not an option, you could consider other hosting options, or disabling uploads of dangerous file types.

Do you need to run virus scans of JPGs and PNGs?

It’s possible to do that, though you’d not have control over that if you use CDCK hosting.

If the uploads were in an S3 bucket you controlled, could you user AWS antivirus to satisfy your security requirements?

1 Like

The last question you ask is essentially also what I meant to ask.
So is the /uploads folder where the upload file tree is located in the [persistent?] docker image or is it volume mounted? I forgot how things work with Docker and unclear on what Discourse does to store the upload files.
My sys admin is considering installing ClamAv, but we are unclear if we would need to install that just in our EC2 instance, or if it needs to be installed in the docker image itself (by editing the image to add the ClamAv and rebuilding???).

By default it’s in a volume that maps to /var/discourse/shared/standalone in the host. You can also ship uploads to object storage services with the configuration explained at Using Object Storage for Uploads (S3 & Clones)


so would that be enough to install ClamAv in the instance’s OS and have it scan things at /var/discourse/shared/ ? No need to install it deeper, i.e. in the docker image itself?

The exact folder in a default install is /var/discourse/shared/standalone/uploads/default/. That is mounted as a volume in the container and where all uploads are saved.

If that checks the compliance box you need, go for it.


@Falco sorry i’m confused, do you confirm ClamAV does not need to be installed within the Docker image but just the EC2 OS? (I haven’t used docker in a while…)

It should work just fine in the host.

1 Like

Got it, thanks @Falco, I’m told this will bring more peace of mind into our security review…


We have an official anti virus plugin, only available to our enterprise customers under our hosting. Configuration and deployment is quite complex, we do not intend to support it on meta publicly.

As a hosted enterprise customer though we do offer this service.

1 Like