FAQ
by Team Sansec
Published in Guides
For problems & solutions running eComscan, see troubleshooting.
Can I use my eComscan license to scan staging/development servers?
Yes, you are allowed to use your license key on any store that shares the same primary domain name.
How does eComscan compare to free Magento security scans?
While we are proud that Adobe has incorporated Sansec technology in its free Magento Security Scan, free scans have limited coverage. By their very nature, they can only scan publicly available assets (Javascript). However, most malware (65%) is hidden on the server in PHP code, databases or system processes. Or malware is hidden deep in your checkout flow, where a public scanner cannot go.
To cover the full attack surface, you need a white-box solution such as eComscan. Because it runs on your servers, it is able to inspect all components that are relevant to your transaction flow.
Second, the Magento Security Scan only scans for issues in the core Magento application. However, most stores are getting hacked through third party components ("extensions" or "modules"), so you need a scanner that will alert you to vulnerabilities in those components as well. eComscan is the only security solution in the world that tracks these vulnerabilities.
eComscan | free scans | |
---|---|---|
Scans Javascript | ✔ | ✔ |
Scans PHP code | ✔ | ✗ |
Scans databases | ✔ | ✗ |
Scans extensions | ✔ | ✗ |
Slack alerts | ✔ | ✗ |
Expert support | ✔ | ✗ |
Frequency | continuous | daily |
Can I use eComscan to scan multiple stores?
Standard eComscan licenses allow scanning and monitoring of a single store installation only. There are some exceptions:
- You may always scan staging and development copies that belong to the same store, without requiring an additional license.
- If you are an agency or service provider, we offer attractive volume pricing so you can protect all of your customers.
Does eComscan run along New Relic?
Absolutely, they do not affect each others functioning. Many of our customers use New Relic.
Does eComscan run along Fastly?
99% of eComscan checks are performed server-side and do not interact with Fastly servers. However, some checks, such as "exposed backup archives", require access to the public facing site. These requests are typically not blocked by the Fastly WAF, unless the public IP of the web server is blocked by Fastly for some other reason. You can run eComscan manually with the --verbose
flag the first time to verify whether this is the case.
The eComscan report does not show malware locations?
The free version of eComscan shows whether any malware was found in files, memory or in the database. The paid version of eComscan produces a detailed report, including locations, code snippets and detection patterns. Order a license here.
How does eComscan affect server load and resources?
eComscan was designed to run transparently on any eCommerce server. eComscan runs at the lowest CPU & disk priority. This means that eComscan only uses idle capacity, so it does not affect the performance of your store. This is true for "scrutinize" mode (--deep
) as well. eComscan will use at most 200MB of memory, which is a tiny fraction of the capacity of a typical eCommerce server.
Are you running a cluster setup with network (NFS) storage (for example, for the media folder)? See our Advanced Scanning section for possible optimizations.
How do I set up monitoring for multiple e-mail addresses?
You can set up eComscan to send its reports to multiple e-mail addresses by adding the e-mails to a --report
or --monitor
flag, seperated by only a comma. Be sure to not add any spaces between the comma's: ecomscan --monitor [email protected],[email protected],[email protected]
.
How do I scan multiple folders / storefronts?
Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory). See also our instructions for scanning cluster environments.
Do I still need a WAF if I use eComscan?
eComscan does not provide WAF-like functionality, and we recommend our customers to use one. As there are no Magento-optimized WAF services available today, any WAF will do (such as Cloudflare, Incapsula).
eComscan does help you find vulnerabilities in your store, before attackers even try to exploit them. So eComscan helps to prevent hacks instead of having to respond to them.
What do the timestamps in an eComscan report mean?
eComscan reports two relevant timestamps for detections. All timestamps are shown using the standard GMT (UTC) time zone.
ctime
: Typically this indicates the date that the file was moved or created. On Linux, this timestamp cannot be tampered with by a regular user and may therefore be an important indicator for when malicious activity happened. However, the ctime may be reset during a legitimate release.mtime
: This indicates the last modification date of the file. This can be easily spoofed by an attacker, which often happens, so it should be used with caution.
Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?
There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won't stop your car from crashing. In essence, they restrict the Javascript that can be run on your site.
Pro:
- Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won't be able to take control of your site.
Con:
- It can be costly to maintain. If your supplier's Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
- If you don't use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
- There are several techniques that circumvent CSP, so it will only catch 99% of malware.
All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.
Will eComscan report all missing patches?
eComscan will alert you to any missing security patches! We strongly recommend to implement vendor-issued security patches & upgrades within 72 hours, as mass abuse may take off within days of such publications. For Magento, see our convenient version matrix which is always up to date.
Can you upgrade my store software?
While we do run cleanup & investigations, we do not provide regular store maintenance (platform upgrades). This is usually done by the developer of your store, as upgrading requires knowledge about your store's internal architecture and access to your offsite code repository. If an external party would upgrade your store, the changes would be reset the next time your regular developer issues an release.
We do strongly recommend to track your platform's core security improvements, see also the previous question.
Does eComscan require root access?
While eComscan runs on the server, it does not require root access, and can be run as any user, as long as it can read the store files and database. NB. Some platforms execute PHP with a different user than the one that is used to upload files and run ecomscan. In that case, ecomscan cannot inspect PHP processes and may miss malware. We recommend to either run ecomscan as root, or schedule ecomscan to both run as the PHP user and the web user.
Is eComscan PCI compliant?
eComscan is the perfect solution to help merchants comply with the following PCI DSS 4.0.1 requirements:
- 5.2 Malicious software (malware) is prevented, or detected and addressed
- 5.3 Anti-malware mechanisms and processes are active, maintained, and monitored
- 11.3.1 Internal vulnerability scans
See also our free Sansec Watch service to comply with PCI DSS 6.4.3 and 11.6.1.
Do you also scan on the OS or platform level?
It is recommended to run eComscan with full privileges, so it can inspect all the processes and background jobs. While eComscan is not a generic vulnerability scanner for Linux, it does detect all system level issues that are known to be abused in eCommerce hacks (for example, the Linux glibc iconv bug).
Does Sansec provide penetration testing (pen tests) ?
Sansec focuses on whitebox analysis (i.e. code inspection) as opposed to behavioral analysis (i.e. blackbox or pen testing). The reason for this is that whitebox analysis is much more accurate and comprehensive. Blackbox testing isn't able to examine all application paths, for example when certain privileges or conditions are required.
Another reason is that blackbox testing typically requires thousands of server requests, which negatively impacts store performance. Whitebox testing doesn't affect server performance and can therefore run continuously, while proper blackbox testing can only be executed incidentally.
Because Sansec provides test signatures for all known Magento attack vectors, our coverage is typically 100%. The only exception is when you have developed custom code for your store. In that case we would recommend to hire a Magento agency for a code audit. See our partner section for recommended agencies.
If your payment service provider requires a pen test, we would recommend to engage one of our security consultancy partners.
What confidence level should be chosen?
eComscan employs a suite of detection patterns, some of which have a low confidence levels. These low confidence signatures can be very useful in case of an incident, but are generally weak indicators & potentially yield false positive detections. Our recommendation is to use the default confidence threshold (=50) for monitoring scans. In case of an incident, our recommendation is to run a deep scan with --min-confidence=0 --deep
. As some detections will potentially be false positive, results must be properly verified to assess if the detected files/database fields contain malicious code.
Does eComscan protect against carding attacks?
In a carding attack, criminals use your store to test a large amount of (stolen) credit cards for their validity by making small purchases. Carding attacks do not exploit a vulnerability in your store or payment gateway but rather exploit the payment system itself (e.g., the lack of proper authentication in credit cards). Consequently, tools like PCI scans or eComscan cannot detect these attempts, as the transactions technically work as designed.
The only partially effective method to counter carding attempts has been detecting automated clients through measures like CAPTCHAs. However, as criminals get better at simulating humans—and in some cases, employ actual humans to carry out these attacks—this approach is becoming less effective.
In the short term, there are some temporary measures that can help mitigate the issue. But this can be whack-a-mole. A long-term solution is to require multi-factor authentication like 3D Secure (3DS), but this may hurt your checkout conversion.
That said, we love a proper challenge! If you find you have been hit by a carding attack, please escalate to us and we will think of a custom approach for your store.
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec Watch