eComscan release history (changelog)

eComscan Changelog

This is a full list of fixes and improvements. eComscan will auto-update, so no manual action is required. eComscan releases will also be announced on our Twitter feed.

v1.3.3 (released Apr 29th, 2020)

  • Update documentation / next step links

v1.3.2 (released Apr 23rd, 2020)

  • Fix db connections problem in rare cases.

v1.3.1 (released Apr 8th, 2020)

  • The CLI --tag option (to group cloud servers) is now also used in phone & Slack alerts

v1.3.0 (released Apr 6th, 2020)

  • Extended vulnerable module scanning.

v1.2.0 (released Mar 20th, 2020)

  • Added --tag option to categorize email reports
  • Added --self-update command to only do self-update (for integrations only)

v1.1.0 (released Feb 26th, 2020)

  • Supports Shopware 6
  • Also scan .htaccess files

v1.0.0 unreleased

  • Major refactor of code base + external code review

v0.10.9 (released Jan 23rd, 2020)

  • Symlinks: changed default behaviour to more common use case. Do follow symlinks, unless --skip-symlinks is given. The --follow-links option has been deprecated. This fixes the issue where ecomscan could not find the CMS config file if that was a symlink.

v0.10.8 (released Jan 15th, 2020)

  • Add option --follow-links for links pointing outside scan root
  • Add option --one-file-system to prevent crossing mount boundaries
  • Better detection of Wordpress/WooCommerce stores

v0.10.7 (released Oct 28th, 2019)

  • Scan of core_file_storage backdoors

v0.10.6 (released Oct 24th, 2019)

  • Search harder for MySQL socket locations
  • Cleaner exit upon fatal conditions

v0.10.5 (released Oct 4th, 2019)

  • Fix connecting to older MySQL servers (Brian Wade)
  • Fix wrong ordering of detections in rare cases.
  • Fix scanning for malware in database triggers when table prefix is used
  • Fix only ensure no concurrent instances in non-interactive (cron) mode (Maier Bianchi)

v0.10.4 (released Aug 23rd, 2019)

  • Added Magento 2 XSS detection (RipsTech)
  • Use Mysqld UNIX socket if server name is localhost (Christian Hafström)
  • Changed progress spinner to ASCII as to not crash certain terminals (Andy Symonds)
  • Don’t show redundant warning about “no path match, skippingpath match” (Christian Hafström)
  • Don’t show spinner without a TTY (eg piping to file)

v0.10.3 (released Jun 20th, 2019)

  • Use [email protected] as sender for reports
  • Added explicit check for vulnerable Mirasvit SEO code (cannot rely on version number)
  • Vulnerable module check will ignore modules that have “patch” in the version number (for manual patches) (David Cermak, Chris Botman)
  • Recognize Shopware 5 and 6 installations (Alan Morkan)

v0.10.2 (released Jun 13th, 2019)

  • Hotfix to resolve not sending any reports in some cron setups

v0.10.1 (released Jun 13th, 2019)

  • Major rewrite to support upcoming features
  • HTML email reporting (Max Chadwick)
  • Per-check reporting to allow more different checks in the future
  • (Upstream) removed checks for vulnerable Mirasvit modules, because Mirasvit uses non-standard versioning which produced many FPs.
  • Checks: “exposed database managers”, “magento sql injection”, “store identification”
  • The --report <email> option will ALWAYS send a report (Max Chadwick)
  • Store description in mail to distinguish multiple stores (Andreas von Studnitz)
  • Module checks now report URL describing issue instead of vendor URL (where often, nothing was explained about severity of the issue).
  • Database connection errors are now properly reported in the CLI (previously, only with --verbose) (Martin Pachol)
  • The --newonly/monitor option will squelch output when run non-interactively (previously: always squelch)
  • Restrict Magento SQL injection detection to M2, because no exploit is known for M1 yet.
  • Fix: If scanpath is a file, always scan (regardless of --deep option)
  • Fix: allow DB connections with empty passwords (Jeroen Boersma)
  • Add --version to help (Jeroen Boersma)
  • Scan results include links to support pages

v0.9.35 (released May 15th, 2019)

  • Added phone alerts for Advanced plans.

v0.9.34 (released May 9th, 2019)

  • Added Slack integration for Advanced plans.
  • Default timeout 5 -> 10 seconds

v0.9.33 (released May 8th, 2019)

  • Introduced --monitor (delta) and --report (single run) options, deprecated --email and --newonly
  • Added --reply-to to specify Reply-To address (for use with ticketing systems) (Brian Wade)

v0.9.32 (released Apr 11th, 2019)

  • Show explicitly if a hit is malware or vulnerability in file scan
  • Increased max scan size to 10MB to detect GoBrut StealthWorker
  • Add hidden --yarafile <path> option to support testing
  • Add explicit warning if self-update fails (for example, ecomscan is not writable)
  • Fix spinner output

v0.9.31 (released Mar 28th, 2019)

  • Only report first (and most confident) malware hit per file / database source.
  • Default confidence threshold changed from 1 to 50 (--min-confidence) to reduce reporting of false positives.
  • Keep state per scan path, not global (Robert Mangiafico)

v0.9.30 (released Mar 27th, 2019)

  • Fix case where first whitelisted item would get flagged (Phil Stewkesbury)
  • Add module path to cli output

v0.9.29 (released Mar 22nd, 2019)

  • Also scan rogue newsletters for Froghopper attacks
  • Fix scanning cms_page when theme is null

v0.9.28 (released Mar 15th, 2019)

  • Also scan .php5 files (without --deep option)
  • Fixed error for directories with .ini or .php extension.
  • Only print database connection errors in verbose mode – usually caused by dev/staging configs.
  • Only update when newer versions are available, facilitate experimental deploys.

v0.9.27 (released Mar 4th, 2019)

  • Fall back to /tmp if standard XDG runtime path fails (Rico Neitzel)
  • Release uses gzip, not all systems have xz (Rico Neitzel)
  • Fatal errors now properly use stderr
  • Allows concurrent scans of distinct paths

v0.9.26 (released Feb 23rd, 2019)

  • Fix: CPU & I/O priorities are now properly rescheduled
  • Silent output when --newonly and --email are used (cron)

v0.9.25 (released Feb 22nd, 2019)

  • Feature: basic email reporting (--email recipient)
  • Format: report individual checks
  • Fixed duplicate help message (Ryan Hoerr)
  • Removed short tag for rarely used options

v0.9.24 (released Feb 15th, 2019)

  • Fixed corner case with Magento2 configs (Robert Mangiafico)
  • Fixed handling unreadable symlinks (Robert Mangiafico)

v0.9.23 (released Feb 13th, 2019)

  • Added --maxsize option to skip large files (default: 1MiB). Use 0 to disable limit. Thanks to Peeter Marvet.
  • Fix: better parsing of M2 configs. Thanks to Robert Mangiafico.

v0.9.22 (released Feb 11th, 2019)

  • Fix crash when Github is unreachable (to update module signatures)

v0.9.21 (released Feb 9th, 2019)

  • Reverted os.Executable() error handling, as the error was due to UPX (executable compressor) which would use a temp file on older Linux systems. Removed UPX altogether.

v0.9.20 (released Feb 9th, 2019)

  • Skip auto-updater altogether if os.Executable() failed. Works unpredictably on CentOS.

v0.9.19 (released Feb 8th, 2019)

  • Changed “json” into “jsonline” format, see and
  • Changed exit code to 100 if already running

v0.9.18 (released Feb 8th, 2019)

  • Fix detection of M1 modules for which no safe version is known.
  • Ensure only a single instance (per user) can be running, no need for flock in cron. Exit code 1 if running.
  • Enforce all regular output to stdout instead of stderr.
  • Add “json” output format (1 JSON object/line per detection)
  • Add ctime/mtime for malware files

v0.9.17 (released Feb 7th, 2019)

  • Add git tags to build pipeline

v0.9.16 (released Feb 6th, 2019)

  • Added --submit-whitelist and --submit-malware features.
  • Fix auto-updater on some systems (os.Executable() doesn’t always work)

v0.9.15 (released Feb 4th, 2019)

  • Removed “dark grey” color for debug messages as it doesnt show up on some terminals.

v0.9.14 (released Feb 4th, 2019)

  • Add --newonly cli option.
  • Add timestamp to CSV output.
  • Show summary after scanning.

v0.9.13 (released Feb 1st, 2019)

  • Fix: don’t crash on non-standard module xml configs

v0.9.12 (released Jan 31st, 2019)

  • New build system

v0.9.11 (released Jan 30th, 2019)

  • Added confidence threshold setting (default: report all)
  • Added check for vulnerable modules.

v0.9.10 (released Jan 25th, 2019)

  • Fixed field name for Magento2
  • Fixed error message when path does not exist
  • Fixed panic when M2 env.php could not be parsed

v0.9.9 (released Jan 25th, 2019)

  • Implement XZ compression for signature data (800KB -> 98KB)
  • Set low CPU & IO prios on Linux
  • Add basic progress spinner for filescan

v0.9.8 (released Jan 24th, 2019)

  • Fix auto updater (“text file busy”)

v0.9.7 (released Jan 23rd, 2019)

  • Fix auto updater when run from other dir ($PATH)

v0.9.6 (released Jan 23rd, 2019)

  • Support for multi level signature certainty, to allow test/suspicious rules. Force reporting of all rules with --all
  • Whitelist support
  • Resolve symlinks for root path

v0.9.5 (released Jan 22nd, 2019)

  • Auto self-updater
  • First public release

This page was last updated at May 22nd, 2020

Need expert advice?

We are here to help!

Get in touch