[Available since Imunify360 3.4.0 Beta]
Proactive Defense is a unique Imunify360 feature that can prevent malicious activity through PHP scripts. It is available as a PHP module for Apache and LiteSpeed web servers and analyzes script activity using known patterns like obfuscated command injection, malicious code planting, sending spam, SQL injection etc.
Go to Imunify360 → Proactive Defense.
Here you can set a mode, view detected events and perform actions on them.
The following Proactive Defense modes are available:
•Disabled — means that Proactive Defense feature is not working and a system is not protected enough (default mode);
•Log Only — means that possible malicious activity is only logged, no actions are performed.
•Kill Mode — the highest level of protection — the script is terminated as soon as malicious activity is detected.
To select a mode, tick the desired checkbox. When an action is completed, you will see a pop-up with the successful mode changing message.
Note that the data is logged in all modes except Disabled.
Note that a user can disable Proactive Defense anytime. Any mode that is not disabled (for user’s hosting account) by admin can be activated by user.
The Detected Events table displays all the necessary information about PHP scripts with malicious activity detected by Imunify360 Proactive Defense.
You can filter items by time frame in a Timframe dropdown and search a certain entity in a search field.
The items in the Detected Events table are displayed per 25 on a page. To change a number of items displayed, click the number at the bottom right corner Items per page and select a desired number in the dropdown.
To go to the next or the previous page click >> or << button or click a desired page number.
The Detected Events table includes the following columns:
•Group/individual action checkbox — allows to perform actions on one or several desired entities;
•Detection Date/Time — displays the date and the exact time of event detected. To view the exact time click the clock icon in the desired event line. To order the events from the last to the first or vice versa click the ▲ icon in the Date/Time of detection column header;
•Description — displays a special Proactive Defense rule according to which a suspicious activity was detected;
•Script Path — displays the path to the suspicious script. A number near the path describes how many times this event has repeated;
•Host — displays the host of the script.
•First script call from — displays the IP in which the first call of the script was detected. White color means that this IP is whitelisted; black color means that this IP is blacklisted; gray color means that this IP is graylisted; all the others IPs are blue colored.
•Action — displays the current mode;
•Actions — allows to view details and perform actions on the event.
The following actions are available for the detected event:
•View file content;
•Move IP to the Black List;
View file content
This action can be performed in two ways.
The first way
Click the View details icon in the row of the desired event. Here you can see the same information as in the table and plus all environment variables and their values. Then, click View file content button. The file content will be displayed in a new pop-up.
The second way
Click the gear icon in the row of the desired event and choose View file content.
The file content will be displayed in a new pop-up.
The group action is not available for viewing file content.
Move IP to the Black List
Click the View details icon in the row of the desired event. Then, click Block IP button. To move the IP to the Black list click Yes, move to Black list. In the pop-up displayed click Yes, move to black list to complete the action or Cancel to return to the Details window. When a file is added to the Black list, you will see the confirmation pop-up.