Malware Scanner

Navigation:  Imunify360 User Interface >

Malware Scanner

Previous pageReturn to chapter overviewNext page

Click Malware Scanner in the main menu of Imunify360 user interface to get to the Malware Scanner page.

 

Note. The functionality described on this page depends on Malware Scanner settings.

 

Imunify360 Malware Scanner automatically scans file systems for malware injection and quarantines infected files.

 

This is a real-time files scanner for vulnerability and it performs:

 

1.Scanning files uploaded via FTP (supporting Pure-FTPd).

 

2.Scanning files uploaded via HTTP/HTTPS.

 

3.Scanning files for changes via inotify.

 

4.On-demand scanning (any folder you need).

 

Note that when using Mod_Security for real-time scans, it is only possible to detect file owner if Apache is running with mod_ruid2 configured. In other cases, the user for these files will always be the user a web server is running under (usually nobody).

 

Malware scanning allows you to:

 

observe scanner activity;

start on-demand file scanner;

manage suspicious and quarantined files.

 

Observing Malware Scanner activity

 

Go to Malware Scanner page and choose Dashboard tab. On this page, the file scanning activity from the beginning of the current day is displayed by default. It is possible to use a Timeframe filter to observe scanner activity within the proper time period:

 

malware_scanner

 

The scanner activity is filtered by:

 

Files scanned - the total amount of the files that Malware Scanner has already checked.

Ignored files - the number of files ignored during scanning.

Suspicious - the number of files where Malware Scanner has detected a suspicious activity, but these files are still available for the user.

Quarantined - the number of quarantined files that are not available for the user.

Restored from quarantine - the list of the files restored from the quarantine manually.

 

On-demand file scanner

 

It is possible to scan for malware a specific directory. Go to Malware Scanner page and choose On-demand scan tab. Then proceed the following steps:

 

1. Enter the name of the folder you need to scan in the Folder to scan field. Start typing with the slash “/”.

 

The following is optional:

 

Set Filename mask. It allows to set file type for scanning (for example, “*.php” - all the files with extension php). Default setting is “*” which means all files without restriction.

Set Ignore mask. It allows to set file type to ignore (for example, “*.html” - will ignore all file with extension html).

 

2. Click Start.

 

At the right top corner Malware Scanner status is displayed:

 

The Scanner is stopped - means that there is no scanning process running.

The Scanner is running - means that scanner is working at the moment.

 

on-demand3

 

After Malware Scanner has finished on-demand scanning, you will see the results in the table below with the following information:

 

Date - the date when the scanning process was performed.

Path - the name of the folder that was scanned.

Total - the number of quarantined and suspicious files found during the scanning.

Suspicious - the number of suspicious files found during the scanning.

Quarantined - the number of files quarantined during the scanning.

 

 

on-demand2

 

Use Limit filter to set the number of the IPs to be shown on the page.

 

Suspicious and quarantined files can be reviewed and managed in Manage suspicious and quarantined files section below.

 

Managing suspicious and quarantined files

 

Go to Malware Scanner page and choose Quarantine tab. This page has two tables with suspicious and quarantined files:

 

Suspicious files table - the files with detected suspicious activity (still available for the user).

 

Quarantined files table - the files with detected suspicious activity (moved to quarantine, not available for the user).

 

Use filters to show the exact list of the files in each table:

 

Timeframe - allows filtering files by different time period of detection.

Limit - allows setting the number of files to be shown on a page.

Search field - allows searching files by file name.

 

Suspicious Files Table

 

The following information is available from the table:

 

Username - file owner name.

File - the path where the file is located.

Detected - the date of detection.

Status - the way used to detect the suspicious activity. Can be On-demand, which means that the file was found during manual scanning, or Real-time, which means that the file was detected during real-time scanning process.

Reason -  describes the signature which was detected during the scanning process. Names in this column depend on the signature vendor.

 

Quarantined files with Scan type Realtime have additional information after click on the file in the table:

 

Http_host - the domain where the file was uploaded from.

Script_filename - the path to the file with a script by which quarantined file was uploaded.

 

It is possible to manage suspicious files in the table:

 

Delete files permanently

 

Click on a cog icon in a proper file line and click Delete permanently. To do mass action mark several checkboxes and click Delete permanently above the table.

 

suspicious_files

 

Move to quarantine

 

Click on a cog icon in a proper file line and click Add to quarantine. To do mass action mark several checkboxes and click Quarantine selected above the table.

 

suspicious_files2

 

This action requires an aprovement in the pop-up window. It is possible to send the file to Imunify360 team for analysis. To do so, mark Submit to the Imunify360 team for analysis checkbox and confirm by clicking Yes, Add to quarantine.

 

submit

 

Add to ignore list

 

Click cog icon in a proper file line and click Add to ignore list. Read more about ignore list above.

 

ignore_list

 

In the pop-up window tick Submit checkbox to allow Imunify360 team analyse if it is necessary to examine the file or files. Click Yes, add to ignore list. Malware scanner will no longer scan this file.

 

analyse

 

View file content

 

Click on an eye icon in a proper file line and the file content will be displayed in the pop-up. Only the first 100Kb of the file content will be shown in case if a file has bigger size.

 

Quarantined files table

 

The following information is available from the table:

 

Username - file owner name.

File - path to the quarantined file.

Since - the date when the file was quarantined.

Scan type - the way used to detect suspicious activity. Can be On-demand, which means that the file was found during manual scanning, or Real-time, which means that the file was detected during real-time scanning process.

Reason - describes the signature which was detected during scan process. Names in this column depend on the signature vendor.

 

Quarantined files with Realtime Scan type have additional information after click on the file in the table:

 

Http_host - the domain where the file was uploaded from.

Script_filename - path to file with a script through which quarantined file was uploaded.

 

realtime

 

It is possible to manage suspicious files in the table:

 

Delete files permanently

 

Click on a cog icon in a proper file line and click Delete permanently. To do mass action mark several checkboxes and click Delete permanently above the table.

 

del_perm

 

Restore from quarantine

 

Click cog icon in a proper file row and choose Restore from quarantine button. To do mass action tick checkboxes and click Restore from quarantine above the table.

 

restore

 

View file content

 

Click on an eye icon in a proper file line to view file content in the pop-up. Only the first 100Kb of the file content will be shown in case if a file has bigger size.

 

Managing ignore list

 

Go to Malware Scanner page and choose Ignore list tab. The table on the page shows all items (files and folders) added to ignore list and when they have been added.

 

To add new file or new path to the ignore list do the following:

 

click Add new file or directory;

in the pop up enter the path to be added;

Click Add.

 

add_new

 

To delete the item click recycle bin icon and confirm the action. When a path is removed from the ignore list, it will be rechecked by the malware scanner.

 

To search file or folder in the ignore list use Search input field above the table.