We need Anti Virus software on our Atlassian Confluence and Jira server systems. How to do it?

Our concern while running Jira and Confluence today: No antivirus measure…

“There is no provision for antivirus capability within Atlassian Confluence and Jira. Antivirus measures available are managed as a batch process overnight – not real-time as you might expect. Platform may hold documents / files which may contain unwanted code or malware which would be distributed unchecked.”

Could you please advise your recommendation with regard to antivirus so I can get back with our IT – either to budget for it, or with an explanation (for tech people) as to why it’s not required.

Thanks so much.

  • We recommend to secure the devices that are vulnerable to viruses. That’s efficient and best practice. So you install a Anti Virus software on a Windows PC. Apple and Linux devices (very, very) rarely have viruses at all. But there are anti virus software for these devices as well. All of these solutions are cheap.
  • It is possible to scan for viruses on the server. But this has a lot of significant downsides:
    • It costs a lot of money as such server licenses for anti virus software tend to be super expensive.
    • The server is not vulnerable itself. We are taking care of this. You are protecting at the wrong place. Even if this protection is super high. You still have to protect the client devices with the same high security measures.
    • As you have to protect the client devices either way. Putting an anti virus on the server is a waste of money in my humble opinion.
  • If you want to scan your Confluence for viruses there are two ways:
    • You can scan in the background on the server periodically. This includes the problem that files that are instantly uploaded and then executed by someone else may not be part of the security interval.
    • You can scan every file right after uploading. Confluence will then break and be unusably slow. Your IT team surely does not do this in their internal system.
  • For the whole anti virus discussion I would like to pass back the question to your IT team. How do they protect the server from viruses today? Do they follow our practice of not using a server side measurement at all? How come this new instance now shall have that? If they use a way, which way is it? Can we use the same licenses and the same measures on our systems? What is their recommendation here?
  • There is a simple solution that we can offer to Bath Spa University if you just want to “check the AV box”. We can install the open source software ClamAV on your server and run that periodically. There are no licensing cost. The initial cost to put that configurably into our infrastructure as a server (AKA on your machine) will be a one-time fee (Please contact us.). We’ll then have to see if there are any performance downsides that will need a bigger server and thus more monthly costs, but we doubt it at this point. The challenge with this solution is, that ClamAV has not the best reputation for getting the meanest viruses the fastest. It could be, that added security by this measure is not justifying the spending. But you can decide that internally.

I hope that this helps. It’s an unfortunate discussion with no distinct answer. Our recommendation (as of now) is to do nothing.

I hear from my colleague Benjamin that we have built a solution for SOPHOS, an enterprise-ready anti virus as well. It’s a script, that put’s affected files into Confluence trash to make sure, they do not leave dead links after deletion. We call that solution Sophulence. It’s not publicly available but only through us.