Problem with websites cleanup

This topic explains how to resolve the issue with one-click automatic cleanup in 2.0-x version.

Issue description

When administrator of server purchased the license and tries to cleanup malware within 24 hours since the purchase it gets “Failed to remove malware…”.

Root cause

Background process is restarted every 24 hours and updates the license information on restart. So until restart it will keep old license type.

Resolution

Administrator needs to restart the background process. There’re several ways to do this:

  • Wait for 24 hours, or
  • Change the “Max working threads” under the Settings tab and Save settings, or
  • Re-install ImunifyAV, or
  • Kill the process named “ra_executor.php”, it will be restarted in a couple of minutes.
    kill -9 `ps aux | grep 'ra_exec' | awk {'print$2'}`

All these actions will restart the background process of antivirus and reload the license.

This issue will be fixed in the upcoming release. We’re already working on it.

Explanation: how the antivirus removes malware

ImunifyAV works as a regular antivirus: it looks for the malicious piece of code in the files of a website while scanning and shows infected files in the report when the scanning finishes. If the user selects to cleanup malware, then the antivirus either removes a piece of malicious injection in the file or removes the entire file depending of the detected threat.

If the entire file is a web-shell or doorway or some other type of malicious file, then antivirus removes it entirely. If there’s only a small injection at the beginning or at the end, or somewhere in the middle of the file, the exact malicious piece of code will be removed, but the rest content is left unchanged. Generally, the antivirus removes the malware and keeps a website up and running.

There’s an option in the settings which defines whether the file is to be removed or just truncated (content of the file is completely removed but the file itself is left on the file system empty and has zero file length).

The truncation is safer than removal because if the file is included in a database template or some other system file or a config file then the website might become broken after a cleanup. Therefore the antivirus uses a safer cleanup by default to keep website working properly all the time. But one can disable this option in the Settings so the antivirus will remove the file completely in case the entire file is malware.

Explaining the “Settings” tab

  • “Quick Scan” mode
    It configures antivirus to check critical files only: ph*, js, htm*, .htaccess, txt, tpl and some others. It will not scan media files (.png, .jpg, …), documents (.docx, .xlsx, .pdf, ..),  and some other types. This helps to reduce server load and increase scanning speed dramatically.
  • “Skip images and other media files”
    It configures antivirus to check all files besides media files and documents. This also helps to reduce server load and increase scanning speed dramatically. The difference between previous option is that enabled “Skip images…” makes antivirus scan unknown extensions, but “Quick scan” will skip them.
  • “Optimize scanning by speed”
    It configures antivirus to turn on an “intelligent mode” while scanning cache folders. It will scan files from cache folders selectively which sometimes dramatically speed up the scanning process with the same level of malware detection.
  • “Max working threads”
    It specifies the amount of concurrent scanning threads, i.e how many websites will be scanned or cleaned concurrently. By default it is limited by a half of CPU core number. So if your server has 8 cores, the antivirus allows to configure 4 concurrent threads as maximum. But you can set to 1 or 2 just to reduce server load during scanning process.
  • “Scheduled rescanning”
    It configures the interval of automatic website rescanning: once a day, once a week, once a month or never.  We recommend to set it to “Daily” to be notified ASAP about any security issues.
    This option is available in Premium version of antivirus.
  • “Max allocated memory…”
    It configures how much memory is allowed for a single scanning process. If some websites fail to scan try to increase this value. It is limited by 1GB.
  • “Number of days to keep…”
    It configures antivirus to keep backup versions of cleaned files. During this period you can restore these files back using “Undo” button.
  • “Trim malicious files insted of deleting it”
    It configures antivirus do not delete files when malware is detected but trim it instead. So the file will be 0 length but kept in the file system. If you are 100% sure that all detected malicious files are not included into another files or database so you can uncheck this option and run “Cleanup”.
  • “Update antivirus database automatically”
    It configures antivirus to update malware database automatically every day. We recommend to enable this option.
  • “Email admin on website infection”
    It configures antivirus to send out a email notification after scheduled scanning if websites are infected or blacklisted.
    This option is available in Premium version of antivirus.

Extension diagnostics

If you’ve experiencing some unusual behavior or faced with issues we appreciate if you could provide details on the issue for analysis to plesk-support@revisium.com:

  1. Screenshots of the issue (e.g. screenshot before action and the result)
  2. Steps to reproduce if possible: how we could repeat the actions to see the issue
  3. The following files for analysis:
    • /usr/local/psa/admin/logs/panel.log – plesk panel debug log (see below how to collect it)
    • /usr/local/psa/var/modules/revisium-antivirus/ra.db (antivirus database)
    • /usr/local/psa/var/modules/revisium-antivirus/ra_cache.db (antivirus database cache)
    • /usr/local/psa/var/modules/revisium-antivirus/revisium-antivirus-local.log (antivirus log)

How to collect plesk debug log

Open plesk config file /usr/local/psa/admin/conf/panel.ini and add the following lines

[log] 

filter.priority=7

It may look like this:

If you do not have the file /usr/local/psa/admin/conf/panel.ini, just create empty one and add the lines as described above.

After that reproduce the issue and send us packed (zipped) log located at /usr/local/psa/admin/logs/panel.log

If you have huge log (greater than 50Mb), you can obtain the last 15000 lines using the command

tail -15000 /usr/local/psa/admin/logs/panel.log > debug_log.txt

then just zip the file debug_log.txt and send us the debug_log.zip file.

After that remove the lines from plesk.ini

[log]
filter.priority=7

or change the value to default one (usually – filter.priority=3).

How to activate a license key (for paid versions)

Once you have payed for the Premium version of antivirus in Plesk Extension directory you receive a confirmation mail with details and activation link. If you have already followed those steps and still have not got the Premium version try manual activation:

  1. Login in as Administrator to Plesk panel. Go to Tools & Settings -> License Management

2. Click the Retrieve Keys

3. You see the screen like below

4. Ensure that you have a license for ext-revisium-antivirus under “Additional License Keys” tab

5. Congrats! Now you are ready to experience Premium version of the ImunifyAV (ex. Revisium Antivirus). Check the About tab to ensure that the Premium version is enabled.

In case of any issues with purchasing or activating extension contact Plesk Support at plesk-extensions@plesk.com.

Does ImunifyAV protect websites?

ImunifyAV (ex. Revisium Antivirus) is a comprehensive malware detection and removal tool. Website protection is not a part of the antivirus.

ImunifyAV can effectively detect any type of website malware and remove it automatically using “one-click” cleanup, but it does not provide a proactive protection from future hacks and web-attacks. Therefore we strongly recommend to “harden” your websites after malware removal:

  • Update CMS version and update every plugin
  • Enable two-factor authentication for web hosting panel and CMS admin panel
  • Setup a Web Application Firewall or corresponding plugin for your CMS
  • Set new strong and random passwords for every account (FTP, SSH, ISP, Admin panel)
  • Isolate websites from each other under single hosting account or place them on different accounts to prevent cross-contamination
  • For VPS admins: update OS and service components of your server, disable any unused services and components

Or order a professional website security service at Revisium.com which includes:

  • Manual expert malware check and cleanup
  • Blacklist removal service
  • Web Application Firewall installation
  • 6 months guarantee and support

Request the service at revisium.com.

Troubleshooting

1. I payed for the extension, but it is not yet Premium

If you purchased the license for Premium version and cannot activate the key, check this section.

2. I click the “Scan” button, but it doesn’t start scanning

When you click the “Scan” button it doesn’t start immediately, it queues the task to scan the website. You should see “Queued” status in the line. Once the server resources are available it starts scanning and displaying a progress.

3. The Antivirus doesn’t cleanup some of malicious files

Check the Malware Removal report to see the details. There might be the following reasons:

  • Malicious file is write-protected or folder of the file is write-protected so the antivirus cannot write or delete it. Check it with server administrator.
  • Malicious file was missed or not readable at the time of cleanup.
  • Malicious file is not in the cleanup database of the Antivirus. In this case you “Manual cleanup required” status next to the file. Please, send it to us and we will check and add it for automatic cleanup.

4. I scheduled the re-scanning for today but it does not start at specified time

Scheduled re-scanning of files starts at specified time only if it’s been more than 24 hours since last website scanning. So if you would not scan it manually it will be checked the day after.

5. When I click the “Scan All” button the websites start scanning in random order

Order of websites scanning depends on two things:

  • selected order in the table
  • order of domains registration

For your convenience we would recommend sorting the table by “State” column. Just click it to reorder.

6. When I click “Scan” or “Clean” it fails

Please, follow the steps to gather information for analysis and send it to us.

Does the Antivirus check web pages or database for malware?

Current version of the Antivirus check files in website folders but does not scan database or website pages so we’d also recommend checking websites using free online scanner – ReScan.Pro. It will detect security issues which the Revisium Antivirus cannot detect.

For Server Admins

If you suspect the fact of server compromise we recommend to do the following steps immediately:

  • change the root user credentials and disable SSH and FTP connection for other users before the comprehensive analysis of server security is done;
  • check the auth/security logs in the /var/logs for unauthorized connections;
  • scan the /tmp, /var/tmp and the folders staring from /home or /var/www for malware using free command-line malware scanner AI-BOLIT and check them for unusual files such as linux binaries and sources or per/php scripts outside the doc root folders;
  • check for the suspicious (usually, “long-term”) background processes in the “top” / “htop” / “ps auxww”;
  • check for the suspicious external connections in the “netstat”.

Or just order professional server security analysis and malware clean up service at Revisium.

What if the Antivirus has not detected some malicious files?

We do our best to keep the Antivirus database frequently updated and complete in order to detect as much threats as possible. But still there might be a small chance that some of newly released malicous files are not yet in the database. Or there might be also another drawbacks:

  1. Check if you’re using the latest version of the ImunifyAV (check for the extension updates)
  2. Check if you’re using the latest version of the Antivirus database (check it in the “About” tab)
  3. Check current settings in the “Settings” tab. By default the Antivirus scans for critical extensions only (php, js, html, and some others). It provides a better performance while scanning everything besides the media files and documents. But the viruses may be located in those files either. So you may want to try the Antivirus in the “full scan” mode by switching the scanning option.
  4. If you try everything above but the Antivirus still does not see the infected file, please, send us the file. We will analyse it and add to the Antivirus database for the next update.

If you found a malicious file which has not been detected by antivirus, please send it to us via https://drop.revisium.com

Thanks!

How to update the Antivirus?

In the “Settings” tab you can enable auto-update option of the Antivirus databases.

Another way for quick-update of the A/V databases is to open the “About” tab and click the “Update Databases”.

Also we recommend for server admins checking the ImunifyAV extension for a newer version just to keep the core files up-to-date.

How to speed up the Antivirus?

The Antivirus scanning performance mostly depends on server performance. But the default configuration of the Antivirus may not be optimal so we would recommend server admins to adust the default settings for better performance. Just open the “Settings” tab and check the current parameters.

  • “Quick Scan” mode – if checked, the antivirus scans critical files only (php,  js, html, htaccess, txt and some others). If you need to scan all files, uncheck the option.
  • Skip images and other media – if checked, it will skip jpg, png, gif, avi, mpg, mov, bmp, tiff, docx, xlsx, pptx, pdf, and some others. if you need to scan all files, uncheck the option.
  • Optimize by speed – if checked, the antivirus will do intelligent scanning of cache folders of CMS to speed up overall process. Uncheck the option for careful scanning.
  • Max working threads – how many websites are to be scanned simultaneously.

Strong recommendation for server admins managing servers with 4 or more number of CPU cores or lots of websites installed to change the “Max working threads”.

As the opposite if you feel that the Antivirus consumes lots of server resources just decrease the parameters “Max working threads” and “Max allocated memory…”.

 

When antivirus has detected malware in the legitimate file

There’s small chance that you may face with so-called “false-positives” while scanning the websites for malware i.e. when antivirus software marks a legitimate file as malicious because the file may contain some specific piece of code previously noticed in malware.
Just send us the file and we will include it into the exceptions list of the Antivirus so it will never show up in the report after the antivirus update.

If antivirus has detected a file which is not malicious, please report a “false-positive” via https://drop.revisium.com (e.g. send the file via this service)

My websites are infected, what to do next?

First of all – keep calm and check the detailed report.

Click the “View Report” button next to the “red” mark and check the list of detected malware.

Depending on your expertise and experience in web development you may resolve it in different ways. Check the options below.

  • Option 1: In the Premium version of the ImunifyAV you can click the “Clean Malware” button and it will remove the malware automatically. The Antivirus will keep your website up and running after the malware cleanup. It keeps original files for configured period of time (7 days by default) in its backup folder so you can restore them via “Undo” button next to the website.
    The cleanup report looks like this:

    So try automatic one-button malware cleanup in the Premium version of the ImunifyAV.

  • Option 2: If you are experienced webmaster and using Free version of the Antivirus you can manually check the files one-by-one in the Plesk File Explorer or in your favourite FTP software to be sure that the listed files are not legitimate and contains the viruses. Just remove the malicious injections or entire file if it’s malicious.
    We recommend to create a backup of the entire website before any changes just to be sure that you could restore any changed file when needed.
  • Option 3: Another good option is to order the professional malware cleanup service to remove the viruses and protect your website from re-infection by security experts.
    We’ve been providing the professinal clean up service at Revisium for more than 7 years. See the following page for details.

 

My websites are clean, what to do next?

It is good to hear that everything in the report has “green” status.

Just follow the recommendations on websites security to keep them safe and secured. And do not forget to re-scan your websites on a regular basis.

If you are server admin we recommend to schedule re-scanning in the “Settings” tab so the Antivirus will be checking websites for malware automatically with selected interval. This option is available in the Premium version of the extension.

Quick Introduction for Users

In order to scan your websites for malware using the ImunifyAV all you need is to click the “ImunifyAV” icothe n under particular domain and then click the “Scan” button.

When you click the “Scan” button the Antivirus queues a scanning task and runs it when server resources are available (it may start immediately or with some delay). The resources are configured by server admin so there might be a queue for the scanning process. The queue lets all users checking their websites on demand without server overload. Thus if you see “Queued” in the status column – everything is OK, scanning will start as soon as the resources are available or another scanning is finished.

Upon completion check the status. If the report shows a green icon, congrats, it usually means your website is not compromised and clean.

If you’ve noticed some “red alerts” next to the domain most likely it means the particular website is compromised and infected. Click the “View Report” button and see the details.

If you see some “orange alerts” next to the domain and “Domain blacklisted” notice it means the domain is blacklisted in either search engines or antivirus services. Click the “View Report” button to see blacklist status details.

Watch the quick demo on how it works:

 

Quick Introduction for Server Admins

In order to scan your websites for malware using the Revisium Antivirus all you need is to install the extension from Plesk Marketplace, open the “Domains” tab and click the “Scan All”.

It will queue tasks to scan a complete list of websites for viruses, backdoors, web-shells, hacker’s scripts, phishing pages and other malware and run the process of websites scanning depending on specified number of concurrent scanning threads (1, 2 or 4) in the Settings tab. Also it will check each domain for blacklist status in search engines and antivirus services.

Another option is to click the “Scan” button next to the particular website to check the single website for malware and blacklist status.

In order to prevent server resources overload during scanning a set of websites the antivirus extension queues the scanning tasks and runs them with respect to the configured resources limitations (“Max working threads” in the Settings tab).

Take into consideration that default settings may not be optimal in terms of scanning speed so we would recommend to check the “Settings” tab before start and adjust the following parameters manually to set optimal values for better performance (or less server load).

Notice: the “max working threads” is limited by a half of CPU core number on server. So the 1 or 2 CPU cores gives one working thread as maximum.

When the scanning process is finished check infection statuses of your websites. If everything in the report is green, congrats! It usually means your websites are neither compromised nor infected and blacklisted.

If you’ve noticed some “red alerts” next to the domain most likely it means the particular website is compromised and infected. Click the “View Report” button and see the details.

If you see some “orange alerts” next to the domain and “Domain blacklisted” notice it means the domain is blacklisted in either search engines or antivirus services. Click the “View Report” button to see blacklist status details.

The detailed report shows you the list of detected malware and domain blacklist status.

Premium Version and Automatic Malware Cleanup

In the Premium version of the Antivirus you can clean the malware automatically using “Clean Malware” button.

Video

Watch the quick demo on how it works and then try it on your own.