Proactive Defense

Navigation:  Imunify360 User Interface >

Proactive Defense

Previous pageReturn to chapter overviewNext page

Overview

 

Proactive Defense is a unique Imunify360 feature that can prevent malicious activity through PHP scripts. It is available as a PHP module for Apache and LiteSpeed web servers and analyzes script activity using known patterns like obfuscated command injection, malicious code planting, sending spam, SQL injection etc.

 

User Interface

 

Go to Imunify360 → Proactive Defense.

 

ProactiveDefenseMain

 

Here you can set a mode, view detected events and perform actions on them.

 

ProactiveDefenseGeneralUI

 

Mode Settings

 

The following Proactive Defense modes are available:

Disabled —  means that Proactive Defense feature is not working and a system is not protected enough (default mode);

Log Only — means that possible malicious activity is only logged, no actions are performed.

Kill Mode — the highest level of protection — the script is terminated as soon as malicious activity is detected.

To select a mode, tick the desired checkbox. When an action is completed, you will see a pop-up with the successful mode changing message.

ProactiveDefenseModeSettings

 

Note that the data is logged in all modes except Disabled.

Note that  a user can disable Proactive Defense anytime. Any mode that is not disabled (for user’s hosting account) by admin can be activated by user.

 

Detected Events

 

The Detected Events table displays all the necessary information about PHP scripts with malicious activity detected by Imunify360 Proactive Defense.

ProactiveDefenseDetectedEvents

 

You can filter items by time frame in a Timframe dropdown and search a certain entity in a search field.

The items in the Detected Events table are displayed per 25 on a page. To change a number of items displayed, click the number at the bottom right corner Items per page and select a desired number in the dropdown.

To go to the next or the previous page click >> or << button or click a desired page number.

The Detected Events table includes the following columns:

Group/individual action checkbox — allows to perform actions on one or several desired entities;

Detection Date/Time — displays the date and the exact time of event detected. To view the exact time click the clock icon in the desired event line. To order the events from the last to the first or vice versa click the ▲ icon in the Date/Time of detection column header;

Description — displays a special Proactive Defense rule according to which a suspicious activity was detected;

Script Path — displays the path to the suspicious script. A number near the path describes how many times this event has repeated;

Host — displays the host of the script.

First script call from — displays the IP in which the first call of the script was detected.  White color means that this IP is whitelisted; black color means that this IP is blacklisted; gray color means that this IP is graylisted; all the others IPs are blue colored.

Action — displays the current mode;

Actions — allows to view details and perform actions on the event.

 

Actions

 

The following actions are available for the detected event:

View file content;

Move IP to the Black List;

Move file to Ignore List (ignore detected rule) — allows a user to exclude a file from Proactive Defense analysis for a particular rule; {Available starting with Imunify360 3.7.0 Beta}

Move file to Ignore List (ignore all rules) — allows a user to exclude a file from Proactive Defense analysis for all rules; {Available starting with Imunify360 3.7.0 Beta}

Remove file from Ignore List — allows a user to include ignored file to Proactive Defense analysis again.{Available starting with Imunify360 3.7.0 Beta}

 

View file content

 

This action can be performed in two ways.

 

The first way

 

Click the View details icon in the row of the desired event. Here you can see the same information as in the table and plus all environment variables and their values. Then, click View file content button. The file content will be displayed in a new pop-up.

 

ProactiveDefenseViewFileContent

 

The second way

Click the gear icon in the row of the desired event and choose View file content.

 

ProactiveDefenseViewFileContentWay2

 

The file content will be displayed in a new pop-up.

ProactiveDefenseFileContent

The group action is not available for viewing file content.

 

Move IP to the Black List

 

Click the View details icon in the row of the desired event. Then, click Block IP button. To move the IP to the Black list click Yes, move to Black list. In the pop-up displayed click Yes, move to black list to complete the action or Cancel to return to the Details window. When a file is added to the Black list, you will see the confirmation pop-up.

 

ProactiveDefenseBlockIP

 

Move file to Ignore List (ignore detected rule)

{Available starting with Imunify360 3.7.0 Beta}

 

The first way

Click cog icon in the row of the desired event and choose Ignore detected rule for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. Now you can see this file on the Ignore List tab.

ProactiveDefenseIgnoreDetectedRuleForFile

 

The second way

Click View details icon and then in the file details pop-up click Ignore detected rule for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.

 

ProactiveDefenseIgnoreDetectedRuleForFile1

 

Move file to Ignore List (ignore all rules)

{Available starting with Imunify360 3.7.0 Beta}

 

The first way

Click cog icon in the row of the desired event and choose Ignore all rules for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. The file will be moved to Ignore List tab.

ProactiveDefenseIgnoreAllRulesForFile

 

The second way

Click View details icon and then in the file details pop-up click Ignore all rules for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.

 

ProactiveDefenseIgnoreAllRulesForFile1

 

Remove file from Ignore List

{Available starting with Imunify360 3.7.0 Beta}

 

On the Ignore List tab click Bin icon and confirm the action.

ProactiveDefenseIgnoreListBin

 

To perform bulk action, tick required checkboxes and click Remove from ignore list at the top of the table, then confirm the action in the pop-up.

 

Ignore List tab

 

{Available starting with Imunify360 3.7.0 Beta}

 

Here, there is a table with files with ignored rules. If file is added to Ignore List, Proactive Defense will not analyze scripts activity from this file for all or specified rule.

ProactiveDefenseIgnoreList

 

The Ignore List table includes the following columns:

 

Add Date/Time — displays the date and the exact time of adding a file. To view the exact time click the clock icon in the desired file line. To order the files from the last to the first or vice versa click the ▲ icon in the Add Date/Time column header.

Script Path — displays the path to the script.

Rules to ignore — displays the pattern to be ignored.

Actions — allows to view details and perform actions on the file.

 

How to test Proactive Defense

 

1. Set Proactive Defense to Log only mode (requests will not be blocked) or to Kill mode to kill all requests.

2. Create a file with the following content:

 

    <?php system('wget -V');?>  

 

3. Place this file on the server.

4. Call a test page with the script from the point 2.

5. If Proactive Defense is disabled, you will see Wget version in a web-browser.

6. If Proactive Defense is enabled and Log only mode is set, you will see the string Rule for the testing of malicious in the Detected Events table.

7. If Proactive Defense is enabled and Kill mode is set, the test page returns an error.