Skip to content

Malware Scanner

The malware scanner inspects the webroots of hosted websites for PHP shells, backdoors and injected code. It combines Linux Malware Detect (maldet) with optional ClamAV as a second signature engine and runs directly on the server that hosts the website.


How it works

The scan runs asynchronously on the website's server:

  1. The panel creates a scan record and dispatches the request to the agent.
  2. The agent starts maldet in the background and returns immediately.
  3. While the scan runs, the agent publishes live progress (files scanned, hits).
  4. On completion, the agent reports the result (files scanned + findings) back to the panel.

Scan engines

The primary scanner is maldet with its own signatures tuned for web malware. If ClamAV is installed, its signatures are added (Cisco Talos, roughly 8 million signatures, refreshed hourly via freshclam) — extended by the unofficial feeds from Sanesecurity, URLhaus and MalwarePatrol. Both tools are installed automatically when needed (no Docker, no manual setup).


Scan types

Type Scope When to use
Full scan The entire webroot, recursively Initial check, suspected compromise, after a restore
Quick scan (incremental) Only files changed in the last 7 days Regular, fast checks

A full scan can take a while on large sites (100,000+ files). It runs at low priority so the web server keeps operating normally.


Starting a scan

As an administrator

  1. Navigate to Malware Scanner
  2. The table lists every website with its status and last scan
  3. Click Scan now on the desired website
  4. Use the dropdown to choose between Quick scan (last 7 days) and Full scan
  5. The progress window opens once the scan starts

Administrators can scan any website — regardless of the customer's package.

As a customer

Customers whose package grants the Malware Scan permission see the Malware Scanner menu item and can scan their own websites. A customer scan is always a quick scan.

Permission

The malware scanner is enabled per package via the Malware Scan permission (perm_malware_scan). Without it, the feature is hidden from the customer and the automatic scan (see below) skips that customer's websites.


Automatic scans

A background scheduler checks websites on its own:

Property Value
Interval One tick every 5 minutes
Scan type Incremental (quick scan)
Per tick Exactly one eligible website per server
Cadence per website At most once every ~22 hours
Requirement Subscription active and package permission Malware Scan

Prioritization — which website is scanned next:

  1. Websites with at least one active finding first
  2. then the website with the oldest completed scan
  3. then websites that have never been scanned

This spreads the load evenly across the day and prioritizes websites that need attention.

Concurrency

At most two scans run in parallel per server; additional scans are queued and start as soon as a slot frees up.


Status display

Each website shows a status in the overview:

Status Meaning
Never scanned No scan exists for this website
Scan running… A scan is currently active
Clean Last scan completed, no threats
Threats Last scan produced findings
Failed The scan could not be completed

A scan's lifecycle is pending → running → completed (or failed). If a scan is stuck for more than 45 minutes (for example because the agent restarted in the meantime), it is automatically marked as failed so the website becomes scannable again.


Tracking progress and cancelling

While a scan is running:

  • Show progress opens a window with a live counter (files scanned, threats found).
  • The window can be closed — the scan continues in the background.
  • Cancel scan terminates the running scan. Any threats found so far are discarded.

Findings

Every file flagged as malicious produces a finding. View findings opens a detail view with key figures (start time, duration, files scanned, number of threats) and the list of findings.

Threat type

Type Description
webshell Web shell (e.g. an uploaded attack script)
backdoor Backdoor for persistent access
injected_code Malicious code injected into legitimate files
suspicious Suspicious but not clearly classified

Severity

Severity Typical mapping
Critical Web shells, backdoors
High Trojans, injected code
Medium Suspicious/obfuscated patterns (e.g. Base64)
Low Other hits

The detail view shows a breakdown by severity and status; the counters let you filter the findings list.


Actions on findings

Each finding has a status: Active, Quarantined, Ignored or Resolved. Active findings offer two actions:

Move to quarantine

  • Moves the affected file into the .quarantine/ directory inside the webroot.
  • The quarantine directory is owned by root (mode 0700) and is not reachable by the customer's PHP due to open_basedir — the file can no longer be executed or read from there.
  • The filename receives a timestamp prefix so files with the same name do not collide.

Impact on the website

If you quarantine a file the website actually needs (for example a legitimate file that was flagged in error), the website may show errors. Review the finding before moving it.

Mark as false positive

  • Sets the finding to Ignored without touching the file.
  • The file stays unchanged in place.

Requirements and installation

The required tools are provisioned automatically:

  • maldet is installed on each server on the first scan, or when the malware-scanner extension is enabled (sourced directly from the vendor rfxn.com, plus the runtime dependencies ed and inotify-tools).
  • ClamAV is installed as a second engine from the package repositories; freshclam keeps the signatures current, and a daily timer updates the extended signature feeds.

No manual installation is required.

After a compromise

A finding means malicious code is present on the system. Quarantine the affected files, then review credentials (FTP, SSH, CMS admin) and update the CMS and its extensions. For a larger infection, consider restoring from a clean backup (see Backups).