Sansec logo

Troubleshooting common issues


by Sansec Support

Published in Guides

eComscan does not seem to be running

  1. Ensure the installation was completed according to the instructions.
  2. Run an interactive scan (~/bin/ecomscan -k <key> --report <youremail> <storepath>) to verify that ecomscan is properly installed. If this does not produce a report in your inbox, contact us.
  3. Verify that your crontab is set up correctly. Ask your hosting provider (or us) for verification.
  4. Check that you are running the latest version (see next question).
  5. Your server or firewall may block external connections. eComscan requires a network connection to download the latest signatures and to send reports. Verify with your hosting provider.

Does not help? We are eager to resolve this for you, please provide temporary access to your hosting account and we will ensure a solid setup for you.

eComscan does not auto-upgrade

Normally, eComscan will check for software updates on each run, and replace the current program with a newer release. This is important, as we regularly release new scanning techniques to detect the latest threats and vulnerabilities (see release history here).

Auto-upgrade may fail if ecomscan is installed on a read-only disk, or if the user who is running ecomscan does not have permissions to update the program. First, try this:

$ ecomscan --self-update
Self-update failed: Can't write to myself (~/bin/ecomscan) so skipping auto upgrade

If you see this error message, you should run ecomscan as a different user or install ecomscan on a writable disk.

If you want tenants to run a system-wide installed ecomscan, you should install a daily update trigger that is ran by root, for example this cron:

1 1 * * * root /path/to/ecomscan --self-update

I receive too few or too many reports

It is the intended behaviour of --monitor to only send a mail when something has changed. If you want to always get an email report, change --monitor into --report.

Conversely, if you use --report in a cronjob and get too many mails, change it into --monitor and you will only be notified whenever an new issue is found, or an old issue has been fixed.

I always get this error: Could not download signature db

Something seems wrong with your network configuration. You are either behind a very restrictive firewall, or you have IPv6 lookups enabled for DNS but IPv6 routing fails. You should ask your network administrator / ISP.

I get: Query failed, perhaps this is a dev/test db server that I cannot reach

eComscan uses the password for the database from your store configuration. Sometimes, it finds store configuration that is used in local or development servers, and cannot connect to these servers. If you suspect something else is wrong, please re-run ecomscan with the --verbose option and share the results with us.

eComscan is running slow

eComscan runs with the lowest priority (CPU + disk) so will only use idle resources and will not affect the performance of your store. There is one exception to this: some (cheaper) virtual servers have been oversold. In that case, the host system will report more CPU capacity than is actually available, and eComscan will use "idle" capacity that isn't actually idle. The only solution is to either restrict running eComscan to running at quiet times (in the night) or to move your store to a higher quality server.

Steal: is your server oversold?

You can determine whether you are running on an oversold system by using the top command. The last column shows (st)eal. If this goes above 0, you were promised more CPU than is available.

I have found a malware that eComscan did not identify?

We are sorry to hear that eComscan did not identify this instance. While our scanning technology identifies about 99.5% of all ecommerce malware, we cannot guarantee 100% coverage because criminal groups are continuously evolving their practices. Our team runs forensic cases across the globe and we are usually able to produce a signature within hours of a new malware release. But on a (very) rare occasion, a new strain may slip through, especially if it is uses obfuscation which is also used by many legitimate vendors.

Please share the specific malware with us, and we are happy to help you (free of charge) with your case.

I have patched a vulnerable extension, but it still flags red?

Our vulnerable module check uses version numbers, not code signatures. If you have manually patched a vulnerable module, you can add -patch to the version number, so that eComscan will stop flagging it as vulnerable. Modify these files:

  • Magento 1: app/code/Vendor/Module/etc/config.xml (without composer)
  • Magento 2: vendor/Vendor/Module/etc/config.xml (with composer)

Note: sometimes vendors of vulnerable extensions do not release information or public updates, so we cannot establish if a vulnerability has been fixed.

Autoscaling is triggered by eComscan

eComscan is registered to use idle CPU capacity only, and uses at most half of your server's CPU cores. However, if your autoscaling triggers are set to less than 50% CPU usage, then it may happen that a new server is started when eComscan runs. To prevent this, you can use the cpulimit utility to cap eComscan. Prefix your cron command like this:

cpulimit --limit 50 ~/bin/ecomscan [...]

This example limits the CPU usage to 50% of a single CPU core. NB: Amazon AWS autoscaling CPU thresholds are system-wide (100% is the max), while cpulimit assigns 100% per core. So at a 4-core server, the maximum capacity for cpulimit is denoted by 400%. So if you want to use 25% max systemwide on such a server, use cpulimit --limit 100 (25% of 400%).

Download cpulimit source or a Linux amd64 executable compiled by Sansec.

Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01