We've received a requirement to integrate IBM FileNet with an antivirus solution to automatically scan documents during the upload process.

I came across the official IBM sample on GitHub:
ClamAV Content Validator for FileNet

This example demonstrates how to integrate ClamAV through a custom Content Validator plug-in.

However, I'd like to know if anyone in the community has implemented a similar integration using other antivirus solutions - for example, commercial engines (McAfee, Symantec, Trend Micro, Sophos) or via ICAP-based gateways such as OPSWAT MetaDefender or c-ICAP.

Would really appreciate if you could share your experience, best practices, or lessons learned, especially around:

• Integration approach (direct plug-in vs ICAP gateway vs middleware)

• Handling large files and upload latency

• Quarantine and audit trail mechanisms

• Performance considerations and scalability

Thanks in advance for sharing your insights or reference architectures!

I saw that sample as mostly a proof-of-concept, not a real world use case. When we looked at this years ago, before ICAP, other than CLAMAV, most AV did not have the required API (ClamAV and Microsoft Defender are the ones I know about). If you are checking at an internet portal or using GoAnywhere or some other ICAP capable managed File Transfer lockbox, the check should happen before sending the stream to FileNet making this topic outside FileNet's scope. The only time I have seen docs quarantined on a LAN was when QA teams were uploading EICAR files and the AV on the host catches them (and IT is alerted) before the CE. I would not exclude any directories on the CE from normal enterprise AV just to scan them during the CE events. If you let detection occur later, at the storage device, you will not be able to fetch the doc or delete the corresponding row from docversion (I have an enhancement request in to force delete when the content is missing). I have found storage consistency checks later only work when you have a fiber storage network - otherwise they time out (YMMV). In my own configuration, I use a small dedicated file store for new docs and move them later with a sweep that filters out zero-sized documents - I would expect any respectable front-end solution to do the same. 

We've received a requirement to integrate IBM FileNet with an antivirus solution to automatically scan documents during the upload process.

I came across the official IBM sample on GitHub:
ClamAV Content Validator for FileNet

This example demonstrates how to integrate ClamAV through a custom Content Validator plug-in.

However, I'd like to know if anyone in the community has implemented a similar integration using other antivirus solutions - for example, commercial engines (McAfee, Symantec, Trend Micro, Sophos) or via ICAP-based gateways such as OPSWAT MetaDefender or c-ICAP.

Would really appreciate if you could share your experience, best practices, or lessons learned, especially around:

• Integration approach (direct plug-in vs ICAP gateway vs middleware)

• Handling large files and upload latency

• Quarantine and audit trail mechanisms

• Performance considerations and scalability

Thanks in advance for sharing your insights or reference architectures!

Thank you, Stephen Weckesser, for sharing this insightful perspective.
You're absolutely right - most traditional AV tools weren't built for API integration, which is why modern setups often leverage Palo Alto WildFire, Fortinet FortiSandbox, or Check Point ThreatCloud.
These solutions offer REST/ICAP APIs for file analysis at the perimeter or upload gateway - keeping the repository clean without altering its core flow. A smart approach to handle scanning upstream while maintaining system integrity.

I saw that sample as mostly a proof-of-concept, not a real world use case. When we looked at this years ago, before ICAP, other than CLAMAV, most AV did not have the required API (ClamAV and Microsoft Defender are the ones I know about). If you are checking at an internet portal or using GoAnywhere or some other ICAP capable managed File Transfer lockbox, the check should happen before sending the stream to FileNet making this topic outside FileNet's scope. The only time I have seen docs quarantined on a LAN was when QA teams were uploading EICAR files and the AV on the host catches them (and IT is alerted) before the CE. I would not exclude any directories on the CE from normal enterprise AV just to scan them during the CE events. If you let detection occur later, at the storage device, you will not be able to fetch the doc or delete the corresponding row from docversion (I have an enhancement request in to force delete when the content is missing). I have found storage consistency checks later only work when you have a fiber storage network - otherwise they time out (YMMV). In my own configuration, I use a small dedicated file store for new docs and move them later with a sweep that filters out zero-sized documents - I would expect any respectable front-end solution to do the same. 

We've received a requirement to integrate IBM FileNet with an antivirus solution to automatically scan documents during the upload process.

I came across the official IBM sample on GitHub:
ClamAV Content Validator for FileNet

This example demonstrates how to integrate ClamAV through a custom Content Validator plug-in.

However, I'd like to know if anyone in the community has implemented a similar integration using other antivirus solutions - for example, commercial engines (McAfee, Symantec, Trend Micro, Sophos) or via ICAP-based gateways such as OPSWAT MetaDefender or c-ICAP.

Would really appreciate if you could share your experience, best practices, or lessons learned, especially around:

• Integration approach (direct plug-in vs ICAP gateway vs middleware)

• Handling large files and upload latency

• Quarantine and audit trail mechanisms

• Performance considerations and scalability

Thanks in advance for sharing your insights or reference architectures!