Process on ASP.Net server not running correctly over IIS

Question

I am trying to run an antivirus scan on an uploaded file in an ASP.Net web app. We are using Sophos so have access to their command line API sav32cli. In the code I use:

Process proc = new Process();
proc.StartInfo.FileName = @"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe";
proc.StartInfo.Arguments = @"-remove -nc " + SavedFile;
proc.StartInfo.Verb = "runas";
proc.Start();
proc.WaitForExit();
int exitCode = proc.ExitCode;

When stepping through the code, when attached to the w3wp process on dev server, the code just jumps from one line to the next seemingly doing nothing at all. When running from code on dev server, it performs as expected scanning file and deleting if it is seen as a virus.

The server is running IIS 8.0, and the app built in .Net Framework 4. I have changed the machine config to allow the process to run as SYSTEM account, in accordance to these instructions. https://support.microsoft.com/en-us/kb/317012#%2Fen-us%2Fkb%2F317012

<processModel  userName="SYSTEM" password="AutoGenerate" />

Is there something I'm missing? What is the best practice for this kind of implementation?

EDIT: When called, the Process returns an ExitCode of 2 (Error stopped execution), rather than the expected 0 (Scan worked, no viruses), or 3 (Scan worked, viruses found).

EDIT 2: As per comment below I changed the code to:

Process proc = new Process();
proc.StartInfo.FileName = @"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe";
proc.StartInfo.Arguments = @"-remove -nc " + SavedFile;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.UseShellExecute = false;
proc.Start();
StringBuilder output = new StringBuilder();

while (!proc.StandardOutput.EndOfStream)
{
    string line = proc.StandardOutput.ReadLine();
    output.AppendLine(line);
}
proc.WaitForExit();

int exitCode = proc.ExitCode;
ASPxMemo2.Text = exitCode.ToString() + Environment.NewLine + output.ToString();

output is always empty when run over IIS, but is populated correctly when running from code.

EDIT 3: Instead of looking at StandardOutput we looked at StandardError and it revealed this error:

Error initialising detection engine [0xa0040200] (Possible insufficient user Admin rights.)

For the time being we are going to move to another method of virus checking, but would still like to know a possible solution if anyone has it.

Answer 1

You will need to make sure that the application pool that is running your .NET application inside IIS has execute permissions to your file

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe"

You may also need to add this permission to the folder location where the file to be scanned is uploaded (c:\temp) for example

You may also need to have administrator privileges to run the anti virus scan since IIS8 does not run as an administrator. When you are debugging visual studio uses your current logged in windows user(unless you use runas) so this will explain why it would work when debugging.