Might be a little overkill, but it can stop viruses.
Virustotal API

This can push for a more secure and safe ServerSync.
This would be server side.

Scripts

There are two major problems with Virus Total (quoted from their documentation).

• "The Public API is limited to 4 requests per minute."
• "Keep in mind that files sent using the API have the lowest scanning priority, depending on VirusTotal's load, it may take several hours before the file is scanned"

Minor problems (from their TOS):

• you shall not : "engage in any activity that could damage, overload, harm or impede the normal functioning of the Service;"
• "While you retain any ownership rights in the original material contained in the Sample, when you upload or otherwise submit a copy of the Sample, you give VirusTotal (and those we work with) a worldwide, royalty free, irrevocable and transferable licence to use, edit, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute all content contained in the Sample.
  YOU FURTHER AGREE THAT YOU WILL ONLY UPLOAD SAMPLES THAT YOU WISH TO PUBLICLY SHARE AND THAT IN ANY CASE, YOU WILL NOT KNOWINGLY SUBMIT ANY SAMPLE TO THE SERVICE THAT CONTAINS CONFIDENTIAL OR COMMERCIALLY SENSITIVE DATA OR PERSONAL DATA OF ANY INDIVIDUAL WITHOUT LAWFUL PERMISSION."

Major problem 1 is probably a killer really, 25 minutes for 100 files is not really an acceptable delay.

Major problem 2 would be a rare case in theory (assumption... I have no data to back up that statement) and we could probably just have a max timeout where the file in question is sent for scanning but the results are ignored with some kind of user feedback indicating that the results could not be retrieved in time.

Minor problem 1 can probably be waived as unlikely to be considered.

Minor problem 2 could be a sticking point, seems to imply that we would need to get permission from the original creator of every file we would submit for scanning. So we would end up limited to only getting results from files already present in Virus Total's database.

The company/entity appears to be unwilling to post the details of what is required to access the 'premium' features of the service.

I feel that there is more security gain to be had from #108.

We should be able to expect due diligence by server administrators to virus scan their files before serving them to clients.

Your thoughts?

Fair point, I just hope that there is a way to implement virus scanning, as it seems to be a big problem that is scaring people away from ServerSync.

Just want to indicate that this is a big issue. You can check out Clamav. It is an open source virus scanner. Some people have implemented it like this, or however you want to implement it, or anything else. My point is I want to get an antivirus software, so no person can just download viruses, on accident.

We should be able to expect due diligence by server administrators to virus scan their files before serving them to clients.

There are many problems with that. One, someone can just not scan what they are putting in, two, someone could hack into the server's FTP(Presuming they have one) and put in malicious software that goes unnoticed on the next startup, and three, people can just straight up scam people.

All valid points, however, it's really not in scope for ServerSync to be a replacement for security software.

Clamav looks promising though, shall have to do some testing with it to see how it performs.

This would most likely be something implemented on both sides of the pipe, clients would be equally vulnerable to incoming viruses as servers would be to hosting them.

Maybe an option to turn it off, both sides? It might be slow, so we just need to be sure.

We also don't want to cause serious damage if a virus gets put in our software and it becomes the next worldwide virus.

Yeah any implementation of this would have the option to turn it off for both parties.

The real debate will be is it opt in or opt out 😉. Quite a hard question considering the target audience of ServerSync is the less technical minded.

The default should be to opt in, because there are people a ton of people who don't look at the config, and a lot of them probably would want it to be enabled.

That would be opt out (virus scanning be on by default, the user needs to opt out of having it).

I am inclined to agree, I would be making it abundantly clear that this exists for those that would rather not be providing system access to a relatively 'unknown' party (SS using a third party library in this case).

Of course, if you wanted to sidestep how slow scanning the files are, alternatively you can scan them on server before hand(As we shouldn't be allowing additional files while the server is running)

Closing this as out of scope.

For now, any third party virus protection software would be better than baking a solution into ServerSync.