How to Run a Malware Scan in cPanel Using Imunify360 Print

 

At Servers Grid, we’re always working to provide our customers with the latest in Web Hosting Technology; whether it helps their site be faster or more secure, we want our customers to have the best.

That’s why we have introduced a new Malware Scanner & Removal tool that will save our customers time and money when it comes to fighting the ever-growing malware threat.

Imunify360 powers the malware scanner & removal tool.

Essential Pre-requisites Before Using The Malware Scanner

• The Malware Scanner & Removal Tool is free on all of our Web Hosting Accounts. 
• Scheduling scans is currently not supported. Scans must be manually initiated from your cPanel > Imunify360 App.
• You don’t have to keep your cPanel open during the scan.
• The scan results will also be emailed to the cPanel Administrative Contact. Please ensure your email address in cPanel is up-to-date.

What is the Malware Scanner & Removal Tool?

The Malware Scanner & Removal Tool is an application that we have added to your cPanel, which allows you to scan your web hosting account for files that may be infected with Malware. These infections commonly infect PHP files or scripts vital to a CMS’s normal functioning, such as Drupal, Joomla, or WordPress.

Overall, the tool is a comprehensive security application and utilizes highly tailored and integrated components for web server security.

How Does The Malware Scanner & Removal Tool Work?

The Malware Scanner & Removal Tool references an off-site database of known and highly probable malware infections and compares the files on your web hosting account to those known to be infected using machine learning and Cloud-based heuristics. The tool can detect the most sophisticated attacks, including the infamous zero-day and distributed brute-force attacks, and delivers robust and comprehensive protection for your web hosting account.

Using machine learning, it can compare the PHP files of a “clean version” of that file and extract precisely the malware, leaving your original files intact and undamaged.

How can the Malware Scanner & Removal Tool Help?

The Malware Scanner & Removal Tool can help you by saving you time, as it can quickly scan your website(s) and clean them of any infection. This tool can also save you money, potentially, as you may have had otherwise to hire a developer or 3rd party security service to clean your website and make it safe again.

Why Does a Website Get Infected With Malware?

Below are some possible reasons your website may have been infected with the malware:

• Vulnerable Website Code: Just like good products and designs attract visitors to your website, lousy code attracts hackers like moths to a flame. Your website may often contain deprecated functions known to be vulnerable to some attacks. Hackers often search for these functions and exploit websites with these vulnerabilities for their gain.
• Lack of Input Sanitization: A website has multiple input forms, such as the search bar, login area, comments boxes, registration areas, and more. If the inputs captured by the website aren’t sanitized, they often allow a hacker to add lousy code. This is an easy way to enter the website without much effort. Attacks like this include XSS (Cross-Site Scripting) and SQL Injection.
• Outdated Plugins: If your site runs on WordPress, you’re probably running plugins to help with forms, SEO, insert and manage Media, and more. The developers of these plugins spend copious amounts of time on them, and a good developer pushes regular updates. It’s up to you to keep your plugins up to date, as it’s possible an update was pushed because an exploit was found in the version of the plugin you’re running, and you got infected because you didn’t update that plugin.
• Not using CAPTCHAs: No one likes CAPTCHA, but its impact on spam from forms cannot be denied. It’s essential to use CAPTCHA because it adds a layer of protection to the form it’s being used on, such as comments and login forms. This layer of protection acts as an additional barrier for your site, and not using them is possibly asking for trouble.

 

How to Run a Malware Scan in cPanel Using Imunify360

Step 1: Log in to your cPanel. There are many ways to do this, but the sure-fire easiest way is to log in to your Client Area, then open your cPanel.

Step 2: Scroll down to the Security section of your cPanel and open the Imunify360 application.

Step 3: The Imunify360 application will load. To run a new scan, click the “Start Scanning” button.

 

The scan will be added to the queue:

When the scan is finished, you will receive an email message to the Administrative Contact email set for the cPanel account under which you ran the Malware Scan.

• Please ensure your email address in cPanel is up-to-date. If you are not sure or are not familiar with how to update that email address, you can review our Knowledge Base article on the subject here.

Go to Imunify360 ? Files tab. Here, there is a table with a list of infected files.

The table has the following columns:

• Detected — displays the exact time when a file was detected as malicious
• File — the path where the file is located starting with root
• Reason — describes the signature which was detected during the scanning process. Names in this column depend on the signature vendor. You can derive some information from the signature ID itself. SMW-SA-05155-wshll – in this Signature ID:
  • The first section can be either SMW or CMW. SMW stands for Server Malware and CMW stands for Client Malware
  • The second section of ID can be either INJ or SA. INJ stands for Injection (means Malware is Injected to some legitimate file) and SA stands for StandAlone (means File is Completely Malicious)
  • The third section is 05155. This is simply an identification number for the signature.
  • The fourth section wshll/mlw.wp/etc explains the category and class of malware identified. Here, wshll stands for web shell (mlw stands for malware).
  • The fifth section is 0, which provides the version number of the signature.
• Status — displays the file status:
  • Infected — threat was detected after scanning. If a file was not cleaned after cleanup, the info icon is displayed. Hover mouse over info icon to display the reason
  • Cleaned — infected file is cleaned up
  • Content removed — a file content was removed after cleanup
  • Cleanup queued — infected file is queued for cleanup. Actions:
• Add to Ignore List — add file to Ignore List and remove it from the Malicious files list. Note that if a file is added to Ignore List, Imunify360 will no longer scan this file
• View file — click eye icon in the file line and the file content will be displayed in the popup. Only the first 100Kb of the file content will be shown in case if a file has bigger size
• Cleanup — click to cleanup the file.
• Delete — remove the file from the server and from the list of Malicious files.
• Restore original — click Restore original to restore original file after cleaning up if backup is available.

To perform a bulk action, tick required users and click the corresponding button above the table.

The following filters are available:

• Timeframe — displays the results filtered by chosen period or date.
• Status — displays the results filtered by chosen status.
• Items per page displayed — click the number at the table bottom.

The table can be sorted by detection date (Detected), file path (File), Reason, and Status.

 

History

History tab contains data of all actions for all files. Go to Imunify360 ? History tab. Here, there is a table with a list of files.

The table has the following columns:

• Date — action timestamp.
• Path to File — path to the file starting from the root.
• Cause — displays the way malicious file was found:
  • Manual — scanning or cleaning was manually processed by a user.
  • On-demand — scanning or cleaning was initiated/made by a user;
  • Real time — scanning or cleaning was automatically processed by the system.
• Owner — displays a user name of file owner.
• Initiator — displays the name of a user who was initiated the action. For system actions the name is System.
• Event — displays the action with the file:
  • Detected as malicious — after scanning the file was detected as infected;
  • Cleaned — the file is cleaned up.
  • Failed to clean up — there was a problem during cleanup. Hover mouse over the info icon to read more.
  • Added to Ignore List — the file was added to Ignore List. Imunify360 will not scan it.
  • Restored original — file content was restored as not malicious.
  • Cleanup removed content — file contend was removed after cleanup.
  • Deleted from Ignore List — the file was removed from Ignore List. Imunify360 will scan it.
  • Deleted — the file was deleted.
  • Submitted for analysis — the file was submitted to Imunify team for analysis.
  • Failed to delete — there was a problem during removal. Hover mouse over the info icon to read more.
  • Failed to ignore — there was a problem during adding to Ignore List. Hover mouse over the info icon to read more.
  • Failed to delete from ignore — there was a problem during removal from Ignore List. Hover mouse over the info icon to read more.

The table can be sorted by Date, Path to File, Cause, and Owner.

Ignore List

Ignore List tab contains the list of files and directories that are excluded from Malware Scanner scanning. Go to Imunify360 ? Ignore List tab. Here, there is a table with a list of files.

The table has the following columns:

• Added — the date when the file was added to Ignore List.
• Path — path to the file starting from the root.
• Actions:
  • Remove from Ignore List — click Bin icon to remove the file from the Ignore List and start scanning.
  • Add new file or directory — click Plus icon to add a new file or directory to Ignore List. To perform a bulk action, tick required files and click the corresponding button above the table.

The following filters are available:

• Timeframe — displays the results filtered by chosen period or date.
• Items per page displayed — click the number at the table bottom.

The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.

How to Use the Proactive Defense Mode in the Malware Scanner & Removal Tool

The website Malware Scanner & Removal Tool features an advanced tool called Proactive Defense that can help make PHP-based websites more secure by terminating PHP scripts with malicious activity occurring in them, including insecure WordPress plugins and any other outdated and unpatched applications which can be easily compromised.

You can access the Proactive Defense mode by clicking “Proactive Defense” from the row of options at the top of Immunify360.

 

When enabled, you have the choice of the following 2 mode settings:

• Log only – this will only log suspicious events.
• KILL Mode – this will terminate the script as soon as an attack is detected and guarantees the highest level of protection.

The table beneath the Mode settings will list the detected events and the ignore list if you have placed any events on ignoring.

Frequently Asked Questions about the Proactive Defense Option

Q: Can Proactive Defense prevent the malicious activity of cron jobs? Can the cron job execute in a way so the Proactive Defense module is not loaded?

A: Proactive Defense is a PHP module that should execute any time PHP script is executed including running PHP using a cron job. Note that hackers can create a cron job with PHP script started from custom php.ini to skip loading Proactive Defense. To prevent this from happening, we recommend using exclusively HardenedPHP where the Proactive Defense component cannot be skipped by using custom php.ini.

Q: Are there any restrictions for use with different PHP handlers?

A: Proactive Defense can work with any PHP handler provided the PHP version 5.4 or higher.

Q: Can I benefit from Proactive Defense if I have Cloudflare WAF enabled for my website?

A: Cloudflare WAF and other WAF check only HTTP requests and not the actual PHP execution. As a result, Proactive Defense adds another layer of protection to your site.

Q: What is the difference between Proactive Defense and other services like Wordfence?

A: Most security tools like Wordfence are tailored for a single CMS (e.g. WordPress) and work only for hosting accounts they are installed for. In addition, they are signature-based, so they cannot block PHP script execution proactively.

Q: Will Proactive Defense affect my website’s performance?

A: It slows down PHP script execution by approximately 3-5%. This means that if the script was loading 0.2 seconds before, it will now take around 0.206 seconds.