Sansec logo

Running eComscan

Sansec

by Team Sansec

Published in Guides

Scan your store in a few clicks. Running a basic scan is free and does not require registration. It should be run by a developer or server admin.

Automatic scan

eComscan runs on your production (Linux) servers. Log in via SSH and use the following command to start a scan of your store (it will run this script):

curl https://ecomscan.com | sh

Manual scan

You can manually install the scanner by downloading a version for Linux amd64, Linux ARM (AWS Graviton) or Apple Silicon (M1/M2 chips). For example, run this:

mkdir -p ~/bin
curl https://ecomscan.com/downloads/linux-amd64/ecomscan -o ~/bin/ecomscan
chmod 755 ~/bin/ecomscan

Start a single scan:

~/bin/ecomscan --report=your@email /path/to/store/root/folder

If you have a license key (get it here), you can unlock detailed reporting by providing your key, for example:

~/bin/ecomscan --key=n8sFtfpWzz [email protected] /var/www/magento

eComscan performs an extensive file, database, process and task scan. The database credentials are taken from your store's configuration files (such as env.php). The scan takes about 5-30 minutes (depending on the size of your store and the speed of your server) and will report any found malware or vulnerabilities. If that does not yield any surprises: congratulations! You can now install it in monitoring mode, see the next section.

Set up monitoring

Most operations teams only want to get notified when something important happens to their store. This is what exactly the purpose of eComscan monitoring: to run continuously and alert you on suspicious or insecure changes to your store. Log in via SSH and add a new cronjob using the crontab -e command. Then, add a new line, where you replace key, email and path with the correct values:

10 * * * * ~/bin/ecomscan --key=<your_key> --monitor=<your_email> <store_path>

eComscan will run at the lowest priority, so it will not affect the performance of your store. Should it find anything out of the ordinary, it will alert you via mail. It will not send you repeat alerts.

Do you want to receive periodic reports, regardless of what was found? Some of our customers add a weekly scan using the --report option to their cron, which will always send a report.

Are you using Adobe Cloud? See these specific instructions.

Are you hosted on Webscale Stratus? Then you should enter the cronjob via the Stratus Cronjob web panel, as normal cronjobs are silently ignored. A sample Stratus cronjob command is:

/srv/bin/ecomscan --key <your_key> --monitor <your_email> /srv/public_html

Test your setup

If you want, you can add a "test malware" to your store and see if eComscan picks it up. Add this to a PHP or JS file, or to a CMS block or page in your database:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Got hacked?

In certain case, such as when responding to an incident, you should run eComscan in scrutinize mode. This will take a long time and may produce false positives, so the results should be carefully examined by you or your developer.

~/bin/ecomscan --key <your_key> --min-confidence=0 --deep <store_path>

This will also display lower confidence hits (such as obfuscated - but not always malicious - code) and scan all files, instead of only executable files. Do not add the deep scan to your cron, it will slow down your store!

Read more

Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01