Sansec logo

How eComscan works behind the scenes


by Sansec Support

Published in Guides

A malware and vulnerability scanner

You run eComscan as an application on your (Linux) production server, either as single scan (scrutinize mode) or continuously as a monitor. It should really run on your server, because most malware (60%) is hidden there, either in the form of code, databases or processes. Many other security products (Detectify, Sucuri Sitecheck) will scan your server from the outside, and cannot inspect everything.

Signature update

Upon every run, eComscan retrieves the latest signatures. These signatures are updated multiple times per week (sometimes per day) so you benefit from the latest threat intel.

Database scan

In addition to a file scan, eComscan recognizes configurations of common shop systems (Magento, WooCommerce etc). When it finds one, it will use that configuration to connect to your database server. It then scans specific tables for malicious code. Because there are only a number of tables where criminals can inject executable code, the total number of scanned data is limited and the scan has no impact on the performance of your store.

Process scan

eComscan also scans running processes. Hackers use malicious processes to intercept customer data, or as a backdoor to ensure future access. Malicious processes are also popular because they can run on servers that use read-only storage.

Scheduled task scan

eComscan also scans scheduled tasks (cron). Malicious cron tasks are often used to implement persistence.


eComscan incorporates a secure self-updater. If new checks or improvements are available, they are automatically installed. NB: make sure that the ecomscan program is writable, or otherwise auto-update will be skipped. Self-update may fail if the user running ecomscan differs from the user owning the ecomscan program. You can check by running:

ls -la `which ecomscan`

This should produce, for example:

$ ls -la `which ecomscan`
-rwxr-xr-x 1 app app /data/web/bin/ecomscan
$ id
uid=1000(app) gid=1000(app) groups=1000(app)


eComscan reports to the console (possibly in JSON/CSV format for automated parsing). When given the --report or --monitor options, it will email a report to you. With the --slack and --phone options, you can receive alerts via Slack or SMS (Advanced plan and up).

License check

eComscan will match the license URL with configured URLs of the store. If any of the store URL frontends matches, it will continue. This enables you to run eComscan on dev & staging environments. This is actually recommended, because you will be able to catch vulnerabilities in an early stage.

Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01