Imunify360 Blog

Enabling Real-Time Scanning In Imunify360

Written by Dmitry Tkachuk | Apr 22, 2020 11:09:26 AM

 

If you’re running Imunify360 on your servers, you should enable real-time scanning. Why and how should you do that? Find out below. 

A Second Line Of Defense

In Imunify360, its Web Application Firewall, Proactive Defense module, and other components are interconnected. They use information gathered from each other to perform better than they would on their own. This provides excellent protection, but vulnerabilities still remain. For example: 

  • A malicious query is encrypted, then sent from an IP address with a good reputation. The firewall can’t distinguish it from a legitimate query.
  • An attacker exploits a 0-day vulnerability for which protection rules don’t yet exist. The attack looks as a regular web application query.

What prevents attacks like these from succeeding is Imunify’s second line of defense: its Malware Scanner component. 

When an attacker successfully uploads malicious code, Linux Malware Scanner detects it and cleans it. The key to making this effective is to make sure there’s little or no time lag between the malware being uploaded and the malware being detected. That’s where real-time scanning comes in. 

 

Enabling Real-Time Scanning

Real-time scanning runs the Malware Scanner immediately when a new file or file modification is detected. It can also be integrated with ModSecurity to immediately scan files uploaded via FTP, which prevents malicious code from even being uploaded. 

To do this, go to the Settings section and click the Malware tab: 

 

 

Then, in the General section, enable the following options:

 

Automatically scan all modified files


This enables a real-time scan that watches for file changes in the users home folders, then runs Malware Scanner once a new file or modified one is detected.

Automatically scan any file uploaded using web

This performs a malware scan on each file uploaded using HTTP(S).

Automatically scan any file uploaded using ftp

This performs a malware scan on each file uploaded using FTP.

You can also activate real-time scanning via the CLI by running this command: 

imunify360-agent config update '{"MALWARE_SCANNING": {"enable_scan_inotify": true, "enable_scan_modsec": true, "enable_scan_pure_ftpd": true}}'

By enabling these three options, you strengthen your web server security, leaving attackers no time to hack into your web server environment.

 

Real-Time Scanning Delivers Results

 

Our data show that Imunify360 users who enable real-time scanning incur a much lower number of infections, compared with those who don’t use it. Here is a chart illustrating these data: 

 

The chart above shows that servers with “automatically scan all modified files” enabled had around half as many infections as those without it. 

What’s more, these infections were much less damaging: malware was detected and removed before it could be used to resell access to the server on the black market, or upload another malicious payload.

 

Please Share Your Feedback

The Imunify product team would like to hear from you. To share your ideas, observations, and feature requests about the Malware Scanner module, please send them to us at feedback@cloudlinux.com.

If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify support team at cloudlinux.zendesk.com.