<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

A New Way To Neutralize Infected Files

Mar 19, 2020 2:17:17 PM / by Greg Zemskov

detection

Some Imunify360 customers don’t use the Auto Cleanup option because they’re afraid that it will break client web sites. They’re afraid that if a WordPress index.php file gets infected, for instance, the file will be blocked by Malware Scanner, and the web site will go down.

These fears are unfounded. Malware Scanner removes malicious code that’s been injected into a file, while leaving the rest of the file intact. It also removes malicious files that have been included into other files. Enabling Auto Cleanup is completely safe and effective. 

Still, some users forget to enable it, so the Imunify team looked for an additional way to neutralize infected files. 

Tighter Component Integration

To block malware even before it’s cleaned, we’ve integrated two Imunify360 components more tightly: Proactive Defense and Malware Scanner. These components can now “talk” to each other to a greater degree, which stops systems from accessing PHP malware that hasn’t yet been cleaned up. A malicious script that’s been included at runtime is deactivated automatically. 

Here’s how it works: 

  1. The list of detected malware is passed from Malware Scanner to Proactive Defense. 
  2. Proactive Defense uses that list to check the verdict on a script. 
  3. If a script is on the list, Proactive Defense prevents it from being executed. 

The same approach is used in Web Application Firewall component to block access to malicious scripts that have not been scanned yet.

Further recommendations

We still recommend that infected files be neutralized by enabling the Auto Cleanup option. To enable it in the graphical interface, go to SettingsMalwareGeneralDefault action on detect:

pasted image 0 (5)

 

Then check Rapid scan

pasted image 0 (6)

 

 

 

 

 

 

And finally, select Weekly for Run scanning:

pasted image 0 (7)

 



 

 

 

 

 

 

If you prefer, you can enable it using the command-line interface. The following commands will enabled all required settings automatically:

imunify360-agent config update '{"MALWARE_SCANNING": {"rapid_scan": true}}'imunify360-agent config update '{"MALWARE_SCANNING": {"default_action": "cleanup"}, "MALWARE_SCAN_SCHEDULE":{"interval": "week"}}'imunify360-agent config update '{"MALWARE_SCANNING": {"enable_scan_inotify": true}}'

To obtain the new level of Malware Scanner/Proactive Defense integration, just install version 4.6 of Imunify360. This new method of neutralizing infected files is included in version 4.6. 

To enable it, make sure that Proactive Defense is in KILL mode. To do this in the UI, just check the Kill Mode option:

pasted image 0 (8)

 

To do it through the command-line interface, just use this command:

imunify360-agent config update '{"PROACTIVE_DEFENCE": {"mode": "KILL"}}'

Please stay in touch

The Imunify product team would like to hear from you. To share your ideas, observations, and feature requests, please send them to us at feedback@cloudlinux.com.

If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify support team at cloudlinux.zendesk.com.

 

Topics: Imunify360, Antivirus, Advice, ProactiveDefence

Greg Zemskov

Written by Greg Zemskov

Imunify Security, Product Manager