Imunify360 - free for directadmin

We are currently testing it on one of our servers, i dont have any real results yet however i have seen possible improvements already (account stays marked as infected even if the last scan has no infections found, infections are not removed from the list if you delete the complete DirectAdmin account)
 
Would be good to see an alternative to ClamAV that's friendlier on memory usage.

Keep us updated on the results.... and the config alterations for Exim/etc
 
Last edited:
No configs have to be altered, ImunifyAV is a scan-only scanner and does not do realtime scanning on FTP uploads or email etc.

We did some testing today and it seems that after pressing the "scan-all" button the software is first building some kind of list of all files (we saw read IOPS going up at full speed, could be a potential load issue if you have to scan millions of files). After it was finished a PHP process was scanning all files based on a antivirus database. After the complete scan finished we had some strange behaviour in the results, therefore we submitted the following ticket, will post the answer once we have received it.

Issues:
- We started a scan for 7 accounts. Once finished the Users tab says 3 accounts have 2 threats each (see screenshot1.png). If we click on "2 threats" (or the view report icon) we are navigated to the Files tab. This screen says "no results found" (see screenshot2.png). If we navigate to the Files tab to see all malicious it does not show the 6 infections that were found (only 1 that we used earlier for testing, see screenshot3.png). Also the Scan tab says no malware found for all 7 accounts (see screenshot4.png). Why are the results not the same on each tab?

I checked the logging (/var/log/imunify360/console.log) and it says it found 2 infections:

INFO [2019-02-03 10:33:11,297] defence360agent.malwarelib.scan.queue: Scan finished for /home/<username>
INFO [2019-02-03 10:33:11,297] defence360agent.malwarelib.scan.queue: Scans pending: 4
INFO [2019-02-03 10:33:11,297] defence360agent.malwarelib.scan.scanner: Scan using original scheme
INFO [2019-02-03 10:33:11,383] defence360agent.internals.the_sink: MalwareScan:{'results': {'/home/<username>/domains/<domainname>/public_html/modules/fckeditor/fckeditor/editor/filemanager/connectors/uploadtest.html': {'size': 745, 'group': '<username>', 'owner': '<username>', 'gid': 1012, 'uid': 1007, 'hits': [{'matches': 'vulners.vuln_4d8968f8ef8a96ee46ca93d8c94b900c', 'suspicious': True, 'vendor': 'ai-bolit'}], 'hash': 'f3d95e9e6eb278d56159c97ef6db945c9f43d7ae3616181a61a1644bee831431'}, '/home/<username>/domains/<domainname>/public_html/modules/fckeditor/fckeditor/editor/filemanager/connectors/uploadtest.html.org': {'size': 5580, 'group': '<username>', 'owner': '<username>', 'gid': 1012, 'uid': 1007, 'hits': [{'matches': 'vulners.vuln_505f719b7494d9f5137d1bf9014ca990', 'suspicious': True, 'vendor': 'ai-bolit'}], 'hash': '2abe8da33f6c8121bdb4d328677bf93ef7d9d4b834390755b390bdb3d8b0db8c'}}, 'method': 'MALWARE_SCAN', 'summary': {'path': '/home/<username>', 'completed': 1549186391.2961297, 'started': 1549186361.2633567, 'total_files': 2729, 'scanid': '6e17f2df12e6473d82a3b15c208b94bb', 'by_vendor': {'clamav': {'time': 5.1021575927734375e-05, 'filesize': {'distribution': OrderedDict([(8, 335), (9, 454), (10, 336), (11, 468), (12, 332), (13, 167), (14, 265), (15, 205), (16, 24), (17, 98), (18, 12), (19, 3), (20, 13), (21, 1), (22, 5)]), 'distribution_humanreadable': OrderedDict([('256 Bytes', 335), ('512 Bytes', 454), ('1.0 kB', 336), ('2.0 kB', 468), ('4.1 kB', 332), ('8.2 kB', 167), ('16.4 kB', 265), ('32.8 kB', 205), ('65.5 kB', 24), ('131.1 kB', 98), ('262.1 kB', 12), ('524.3 kB', 3), ('1.0 MB', 13), ('2.1 MB', 1), ('4.2 MB', 5)]), 'total': 66339172, 'total_humanreadable': '66.3 MB'}}, 'heuristic': {'time': 0.9460999965667725, 'filesize': {'distribution': OrderedDict([(8, 335), (9, 454), (10, 336), (11, 468), (12, 332), (13, 167), (14, 265), (15, 205), (16, 24), (17, 98), (18, 12), (19, 3), (20, 13), (21, 1), (22, 5)]), 'distribution_humanreadable': OrderedDict([('256 Bytes', 335), ('512 Bytes', 454), ('1.0 kB', 336), ('2.0 kB', 468), ('4.1 kB', 332), ('8.2 kB', 167), ('16.4 kB', 265), ('32.8 kB', 205), ('65.5 kB', 24), ('131.1 kB', 98), ('262.1 kB', 12), ('524.3 kB', 3), ('1.0 MB', 13), ('2.1 MB', 1), ('4.2 MB', 5)]), 'total': 66339172, 'total_humanreadable': '66.3 MB'}}, 'cloudlinux-hash-filter': {'time': 3.7077841758728027, 'filesize': {'distribution': OrderedDict([(8, 346), (9, 454), (10, 336), (11, 468), (12, 332), (13, 167), (14, 265), (15, 205), (16, 24), (17, 98), (18, 12), (19, 3), (20, 13), (21, 1), (22, 5)]), 'distribution_humanreadable': OrderedDict([('256 Bytes', 346), ('512 Bytes', 454), ('1.0 kB', 336), ('2.0 kB', 468), ('4.1 kB', 332), ('8.2 kB', 167), ('16.4 kB', 265), ('32.8 kB', 205), ('65.5 kB', 24), ('131.1 kB', 98), ('262.1 kB', 12), ('524.3 kB', 3), ('1.0 MB', 13), ('2.1 MB', 1), ('4.2 MB', 5)]), 'total': 66340950, 'total_humanreadable': '66.3 MB'}}, 'ai-bolit': {'time': 24.76070761680603, 'filesize': {'distribution': OrderedDict([(8, 335), (9, 454), (10, 336), (11, 468), (12, 332), (13, 167), (14, 265), (15, 205), (16, 24), (17, 98), (18, 12), (19, 3), (20, 13), (21, 1), (22, 5)]), 'distribution_humanreadable': OrderedDict([('256 Bytes', 335), ('512 Bytes', 454), ('1.0 kB', 336), ('2.0 kB', 468), ('4.1 kB', 332), ('8.2 kB', 167), ('16.4 kB', 265), ('32.8 kB', 205), ('65.5 kB', 24), ('131.1 kB', 98), ('262.1 kB', 12), ('524.3 kB', 3), ('1.0 MB', 13), ('2.1 MB', 1), ('4.2 MB', 5)]), 'total': 66339172, 'total_humanreadable': '66.3 MB'}}}, 'type': 'on-demand'}}

- The Files tab (screenshot3.png) show 1 infection, however this DirectAdmin account have been deleted 6 days ago. Why is this infection still shown?

- For testing purposes we created an account, installed Wordpress, scanned the account (0 infections), placed 1infected file in the account, scanned the account again and the infection was found. We then deleted that file, rescanned the account and 0 infections found. However the Files tab still says 1 infection found and shows the deleted file and even says it is infected, even while the file was deleted already AND the account was re-scanned and found to be clean (so the scanner should be aware that the file is cleaned-up).
Click to expand...
 

Attachments

  • screenshot1.png
    screenshot1.png
    27.2 KB · Views: 142
  • screenshot2.png
    screenshot2.png
    17.8 KB · Views: 133
  • screenshot3.png
    screenshot3.png
    26.2 KB · Views: 111
  • screenshot4.png
    screenshot4.png
    15.9 KB · Views: 110
  • screenshot5.png
    screenshot5.png
    6.5 KB · Views: 126
Got some fast replies from their support:
- The first issue with the inconsistent counting was already fixed in their beta, installed the beta and confirmed it.
- Other items including an additional feature request were send to their developers.
 
DutchTSE said:
the software is first building some kind of list of all files (we saw read IOPS going up at full speed, could be a potential load issue if you have to scan millions of files). After it was finished a PHP process was scanning all files based on a antivirus database.
Click to expand...

I believe all scanners do that... maldet and clamav do the same.

I wonder how much are they competitive in scanning the same amount of files:

- maldet without clamav as a backend (maldet configured with/without malware.expert virus definitions)
- maldet with clamav as a backend (clamav configured with/without malware.expert virus definitions)
- Imunify360

How much malware they found under users homedir (presuming you know where malware is located).

Is it possible for you to test?
 
You must log in or register to reply here.
Back
Top