Martin Millmore's Blog

I periodically get a worried e-mail about the iRecruitment anti-virus support, asking why we haven't certified X, Y or Z company for use with iRecruitment. There's clearly a lot of confusion about this topic, so I thought it best to clarify.

The anti-virus software that most of us are familiar with is the software on our PCs. This software typically scans files as they arrive on our PC in various ways such as sent via e-mails, that we download from the internet, and which are loaded from removable media, like CDs or memory sticks, and other more obscure ways too. They also run a periodic scan of your hard drive to check for files that have viruses that it was not able to catch on the way in, either because the virus was not known to them at the time, or they arrived by sneaky means that it was not able to detect.

The basic requirements for anti-virus checking for iRecruitment are similar to the PC requirements. We ideally want to stop any files with viruses from being uploaded, and we want to periodically check our existing files for viruses that were not known at the time of upload. It's worth noting at this point that, as of today, there are no known ways in which a virus in an uploaded file can effect the database or the server. The reason we are checking for viruses is to protect those who download the files again, not to protect the database from internal attack.

If you don't have any virus checking of the files which are being stored on the database, there are two main defenses against getting viruses when downloading the files to your PC. The first one is the most obvious - you have up to date anti-virus software on your PC. That will stop any viruses from being downloaded, provided your anti-virus software is working correctly and is up to date. The second method is simply not to download the files. Sounds flippant? Not really. iRecruitment has an excellent html view of documents, so you can look at a Word or PDF resume as html in the iRecruitment screens without ever downloading the file and exposing yourself to potential viruses.

If you don't want to rely on your PC anti-virus software being good enough then you have a few further options. If that is the case though, you probably want to start thinking about not letting your users browse any web sites outside of your company though, because there are some serious nasties out there for the unprotected. That said though, belt and braces isn't going to hurt here.

The first option is a Gateway product. Most anti-virus companies sell something like this, but the name varies between companies. What it does is it scans all your internet traffic, and - amongst many other things - it will stop a file with a virus from being uploaded to any server. That includes iRecruitment. So a product like this will automatically stop any known virus from being uploaded. There is no configuration for iRecruitment required, because this product monitors all data coming through your firewall, regardless of it's destination. Pretty neat.

The second option is the internal Symantec option. This is the option that some customers mistakenly think is what we are saying is the only option. This is not the only option, but it is the one that we had to do some special work for, as opposed to the previous options which all operate in complete independence of iRecruitment. Because we had to build code and you have to set up profile options to configure it, this is the one that you notice in our documentation.

The Symantec solution works by directly integrating with an anti-virus web service, so that iRecruitment can control the virus checking. The way this works is when a user attempts to upload a file, we stream it to the web service (typically running on one of your own servers), which validates it is virus free, and cleans or blocks it if it is not. We then either stop the upload and warn the user if the file has a virus, or save it to the database if it is clean. This is a nice user experience that integrates well with iRecruitment.

What I have described so far offers no additional security beyond the Gateway products, which all check for the incoming files. If you think about your PC solution though, it scans incoming files, and it also does a periodic check of existing files. The second thing that we therefore do though is we periodically use the web service to scan the existing files stored in the database for any virus definitions that were not known of at the time that they were uploaded. There is always a lag between virus creation time and the virus checking tools being able to detect them, so this is an important step too. If a virus is detected in an existing file, we will clean the file or delete it if that is not possible.

With this solution, the only product we have ever found which can do this is the Symantec Anti-Virus Scan Engine. This uses the open standard ICAP protocol to talk with any third party software that wants to check files. It's simple to use, and it is very effective. Some customers assume that the reason that we only directly integrate with Symantec is because we have an exclusive partnership with them (although they have been helpful, there is no formal iRecruitment partnership with Symantec, and Oracle typically avoids exclusive relationships anyway), or because we don't like other vendors (we like everyone - we are very loving people really), or because we are lazy (it's a hive of activity here. Honest!). None of those are the reason - the reason is that there are simply no other products out there that do this. We have looked long and hard, and not found any at all. If you are an anti-virus provider who does offer a similar product, please let us know, and chastise your partnership departments for not knowing about them when we contacted them. If you don't offer such a product, perhaps you want to think about building one?

And if you are a customer who is angry at us for not "supporting" your preferred vendor - don't get mad at us please. Read this article. After reading it, if you think you still need a product like Symantec's in addition to all of the other virus protection you already have, get mad at your anti-virus vendor for not providing any suitable product.