Malware Scanner¶
The malware scanner inspects the webroots of hosted websites for PHP shells, backdoors and injected code. It combines Linux Malware Detect (maldet) with optional ClamAV as a second signature engine and runs directly on the server that hosts the website.
How it works¶
The scan runs asynchronously on the website's server:
- The panel creates a scan record and dispatches the request to the agent.
- The agent starts maldet in the background and returns immediately.
- While the scan runs, the agent publishes live progress (files scanned, hits).
- On completion, the agent reports the result (files scanned + findings) back to the panel.
Scan engines
The primary scanner is maldet with its own signatures tuned for web malware. If ClamAV is installed, its signatures are added (Cisco Talos, roughly 8 million signatures, refreshed hourly via freshclam) — extended by the unofficial feeds from Sanesecurity, URLhaus and MalwarePatrol. Both tools are installed automatically when needed (no Docker, no manual setup).
Scan types¶
| Type | Scope | When to use |
|---|---|---|
| Full scan | The entire webroot, recursively | Initial check, suspected compromise, after a restore |
| Quick scan (incremental) | Only files changed in the last 7 days | Regular, fast checks |
A full scan can take a while on large sites (100,000+ files). It runs at low priority so the web server keeps operating normally.
Starting a scan¶
As an administrator¶
- Navigate to Malware Scanner
- The table lists every website with its status and last scan
- Click Scan now on the desired website
- Use the dropdown to choose between Quick scan (last 7 days) and Full scan
- The progress window opens once the scan starts
Administrators can scan any website — regardless of the customer's package.
As a customer¶
Customers whose package grants the Malware Scan permission see the Malware Scanner menu item and can scan their own websites. A customer scan is always a quick scan.
Permission
The malware scanner is enabled per package via the Malware Scan permission (perm_malware_scan). Without it, the feature is hidden from the customer and the automatic scan (see below) skips that customer's websites.
Automatic scans¶
A background scheduler checks websites on its own:
| Property | Value |
|---|---|
| Interval | One tick every 5 minutes |
| Scan type | Incremental (quick scan) |
| Per tick | Exactly one eligible website per server |
| Cadence per website | At most once every ~22 hours |
| Requirement | Subscription active and package permission Malware Scan |
Prioritization — which website is scanned next:
- Websites with at least one active finding first
- then the website with the oldest completed scan
- then websites that have never been scanned
This spreads the load evenly across the day and prioritizes websites that need attention.
Concurrency
At most two scans run in parallel per server; additional scans are queued and start as soon as a slot frees up.
Status display¶
Each website shows a status in the overview:
| Status | Meaning |
|---|---|
| Never scanned | No scan exists for this website |
| Scan running… | A scan is currently active |
| Clean | Last scan completed, no threats |
| Threats | Last scan produced findings |
| Failed | The scan could not be completed |
A scan's lifecycle is pending → running → completed (or failed). If a scan is stuck for more than 45 minutes (for example because the agent restarted in the meantime), it is automatically marked as failed so the website becomes scannable again.
Tracking progress and cancelling¶
While a scan is running:
- Show progress opens a window with a live counter (files scanned, threats found).
- The window can be closed — the scan continues in the background.
- Cancel scan terminates the running scan. Any threats found so far are discarded.
Findings¶
Every file flagged as malicious produces a finding. View findings opens a detail view with key figures (start time, duration, files scanned, number of threats) and the list of findings.
Threat type¶
| Type | Description |
|---|---|
| webshell | Web shell (e.g. an uploaded attack script) |
| backdoor | Backdoor for persistent access |
| injected_code | Malicious code injected into legitimate files |
| suspicious | Suspicious but not clearly classified |
Severity¶
| Severity | Typical mapping |
|---|---|
| Critical | Web shells, backdoors |
| High | Trojans, injected code |
| Medium | Suspicious/obfuscated patterns (e.g. Base64) |
| Low | Other hits |
The detail view shows a breakdown by severity and status; the counters let you filter the findings list.
Actions on findings¶
Each finding has a status: Active, Quarantined, Ignored or Resolved. Active findings offer two actions:
Move to quarantine¶
- Moves the affected file into the
.quarantine/directory inside the webroot. - The quarantine directory is owned by
root(mode 0700) and is not reachable by the customer's PHP due toopen_basedir— the file can no longer be executed or read from there. - The filename receives a timestamp prefix so files with the same name do not collide.
Impact on the website
If you quarantine a file the website actually needs (for example a legitimate file that was flagged in error), the website may show errors. Review the finding before moving it.
Mark as false positive¶
- Sets the finding to Ignored without touching the file.
- The file stays unchanged in place.
Requirements and installation¶
The required tools are provisioned automatically:
- maldet is installed on each server on the first scan, or when the malware-scanner extension is enabled (sourced directly from the vendor rfxn.com, plus the runtime dependencies
edandinotify-tools). - ClamAV is installed as a second engine from the package repositories;
freshclamkeeps the signatures current, and a daily timer updates the extended signature feeds.
No manual installation is required.
After a compromise
A finding means malicious code is present on the system. Quarantine the affected files, then review credentials (FTP, SSH, CMS admin) and update the CMS and its extensions. For a larger infection, consider restoring from a clean backup (see Backups).