Airlock Malware Scanning

[eyalanmegaw]

Hi,

We deployed TRE with 'enable_airlock_malware_scanning: true' . Airlock import requests were not moving from submitted > in review and the import requests were not showing for the airlock manager.

We ran 'make deploy-core' with 'enable_airlock_malware_scanning: false' and the airlock import requests moved to 'in review' and were available to the airlock manager.

The malware scanning is a critical feature for our client and we would appreciate some assistance to establish how to get this enabled.

Many thanks,
Alan

[eyalanmegaw]

we have re-enabled 'enable_airlock_malware_scanning: true' and the airlock import requests are moving to 'in review'

BUT - when I check defender settings for each of the storage accounts in the TRE defender shows as OFF

Is there a way to confirm if malware scanning is actually happening with airlock import / export requests?

[marrobi]

I believe there is a ScanResultEvent in the Airlock Processor Function, also I believe should see under "history" of the airlock request, but not 100% on this.

[eyalanmegaw]

Hi Marcus,

ScanResultEvent showing as scanned during airlock import, but nothing for an export - is this the expected behaviour?

Thanks,
Alan

[marrobi]

Looking at:

https://github.com/marrobi/AzureTRE/blob/80ef191797da234749c23ad05ef3de440c07f92a/airlock_processor/BlobCreatedTrigger/__init__.py#L35-L45

https://github.com/marrobi/AzureTRE/blob/80ef191797da234749c23ad05ef3de440c07f92a/core/terraform/airlock/storage_accounts.tf#L187-L211

It seems to only be enabled for import. I can't see any setting for export storage: https://github.com/marrobi/AzureTRE/blob/80ef191797da234749c23ad05ef3de440c07f92a/templates/workspaces/base/terraform/airlock/storage_accounts.tf

Which doesn't align with the docs. We need to look into this, as believe it should eb enabled both ways.

[eyalanmegaw]

Hi Marcus,

Just wondering if you need anything more from us or if we can assist on this one?

NB: we have re-tested today with a fresh import and a fresh export. In 'ScanResultTrigger' for 'func-airlock-processor-xxxxx' we only observe scan results for imports, none for exports.

Kind regards,
Alan