Imunify360 is the name of the software we use to protect our clients from attacks and malicious code. It’s included in all web hosting accounts, our Agency services and on all newer Managed Servers. If you have a Managed Server today and lack Imunify360, please contact us if you want to have it installed.
In this article we’ll go through the various parts and features of Imunify360, so you’ll know what’s going on and how to adjust it to work as you wish.
Accessing Imunify360
To access Imunify360, begin by logging on to cPanel. Then find the Imunify360
icon under Security
.
You will now end up in the Imunify360 interface. On top, there is a menu which parts we’ll now go through:
Files
Scan for malicious files
Here you’ll see a list of all files Imunify360 has identified as harmful. It may be both malicious files and legitimate files injected with malicious code.
Imunify360 will automatically scan through your web hosting account, looking for harmful files, once per week. If it finds something, it’ll end up in the list on this page. By default, it’ll also try to remove the malicious code. If you don’t want Imunify360 to delete code automatically, you can change this in the settings.
You may also start a manuall scan by clicking the button Start scanning
by the top right.
You will now get to confirm that you wish Imunify360 to scan your account. Click Yes, start scan
to begin.
A green confirmation popup will be shown, telling you that your scan has been added to the queue and will start as soon as possible.
Results after a scan for malicious files
The results of an automatic or a manual scan will be shown in the table a bit down on the page.
The various columns imply the following:
- Scan date: The date when the file was found.
- File: The path to the infected file.
- Reason: Why the file has been flagged as malicious. This field may be hard to interpret, but if you want to learn more about it, please refer to this page. Long story short,
INJ
means that the file has been injected with harmful code andSA
means that the file itself is malicious. - Status:
- Infected: The file is currently infected.
- Cleaned: Imunify360 has automatically removed malicious code from the file.
- Quarantined: The file has been moved into quarantine.
- Content removed: The file’s content was believed to be harmful and has been removed.
- Cleanup in progress: The harmful content of the file is currently being deleted.
- Actions:
- Add to Ignore List: Ignore this file. This means that the file will be removed from the list and will be excluded from future Imunify360 scans.
- Delete permanently: Remove the file permanently.
- View file: Show the file’s content. If it’s a large file, only the first 100Kb will be shown.
- Move to quarantine: Move the file into quarantine.
- Cleanup file: Remove harmful code from the file.
- Restore from quarantine: Restore a file that has previously been moved to quarantine.
- Restore original file: Restore the file as it was before the malicious code was removed. Only doable within 14 days after the original file was removed. If more time has passed, you need to restore the file from backup manually.
History
Under History, all actions Imunify360 has taken in the past will be shown. For example, if a malicious file is deleted, it’ll be shown as Cleaned
under Event
.
If you click on the path to a file, you’ll see all events for that specific file. You may also click an event to see all events of that kind.
Ignore list
If you chose to ignore a file, as we described above, the file will show up in the table here.
You may also add files that should be ignored manually by clicking Add new file or directory
. You need to enter the full path to the file or folder. This is a nice feature if your websites distributes legitimate files that for some reason is recognised as harmful. One such example is if the files contain encrypted source code.
If you want to remove a file from the ignore list, just click the trashcan icon to the right of the file.
Proactive Defense
Proactive Defense is a feature that focuses on what happens on your account, instead of focusing on file content. Currently, Imunify360 only checks what PHP scripts running on your account is trying to do. If Imunify360 recognises that a PHP script is doing something it shouldn’t, it will by default kill its process.
You can tell Imunify360 how to react upon discovering suspicious scripts under Mode settings
.
- Disabled: Proactive Defense is disabled and will do nothing.
- Log only: No processes will be killed, Proactive Defense will only log what it found under
Detected Events
. - Kill Mode: The process will be killed as soon as suspicious behaviour is detected.
Below Mode settings, you’ll find the Proactive Defense log:
Here, the following information will be shown:
- Detection Date/Time: When the activity was logged by Proactive Defense.
- Description: A description of what has been logged. Will often mention
Blamer detection
. - Script Path: The path to the script that triggered Proactive Defense.
- First script call from: From what IP address the script was called/started.
- Action: What Proactive Defense did. If
Kill Mode
is activated as described above, it’ll sayKILL
here. If the modeLog only
is selected, you’ll seeLOGGED
here instead. - Actions: By clicking the eye icon, you’ll see more information about the logged activity:
On top, you’ll see three buttons:
- Ignore detected rule for this file: Tell Proactive Defense to ignore the rule that triggered an action for this file.
- Ignore all rules for this file: Tell Proactive Defense to ignore all rules for this file.
- View file content: Show the content of the file.
Settings
Click the gear icon to the very right of the menu for Imunify360 to access its settings.
- Malware
- Default action on detect: Instructs Imunify360 what to do upon detection of a harmful file.
- Delete permanently: Remove the file permanently.
- Quarantine file: Move the file into quarantine.
- Just display in dashboard: Just display the file under Files.
- Cleanup: Automatically remove malicious code from the file.
- Cleanup, Quarantine as fallback: The same as above, but move the file into quarantine if the malicious code cannot be removed for some reason.
- Default action on detect: Instructs Imunify360 what to do upon detection of a harmful file.
- Proactive Defense
- Enable blamer: Report suspicious behaviour observed by PHP scripts to CloudLinux so they can make Imunify360 even better.