This is a full list of fixes and improvements. eComscan will auto-update, so no manual action is required. eComscan releases will also be announced on our Twitter feed.
v1.3.3 (released Apr 29th, 2020)
- Update documentation / next step links
v1.3.2 (released Apr 23rd, 2020)
- Fix db connections problem in rare cases.
v1.3.1 (released Apr 8th, 2020)
- The CLI
--tagoption (to group cloud servers) is now also used in phone & Slack alerts
v1.3.0 (released Apr 6th, 2020)
- Extended vulnerable module scanning.
v1.2.0 (released Mar 20th, 2020)
--tagoption to categorize email reports
--self-updatecommand to only do self-update (for integrations only)
v1.1.0 (released Feb 26th, 2020)
- Supports Shopware 6
- Also scan
- Major refactor of code base + external code review
v0.10.9 (released Jan 23rd, 2020)
- Symlinks: changed default behaviour to more common use case. Do follow symlinks, unless
--skip-symlinksis given. The
--follow-linksoption has been deprecated. This fixes the issue where ecomscan could not find the CMS config file if that was a symlink.
v0.10.8 (released Jan 15th, 2020)
- Add option
--follow-linksfor links pointing outside scan root
- Add option
--one-file-systemto prevent crossing mount boundaries
- Better detection of Wordpress/WooCommerce stores
v0.10.7 (released Oct 28th, 2019)
- Scan of
v0.10.6 (released Oct 24th, 2019)
- Search harder for MySQL socket locations
- Cleaner exit upon fatal conditions
v0.10.5 (released Oct 4th, 2019)
- Fix connecting to older MySQL servers (Brian Wade)
- Fix wrong ordering of detections in rare cases.
- Fix scanning for malware in database triggers when table prefix is used
- Fix only ensure no concurrent instances in non-interactive (cron) mode (Maier Bianchi)
v0.10.4 (released Aug 23rd, 2019)
- Added Magento 2 XSS detection (RipsTech)
- Use Mysqld UNIX socket if server name is localhost (Christian Hafström)
- Changed progress spinner to ASCII as to not crash certain terminals (Andy Symonds)
- Don’t show redundant warning about “no path match, skippingpath match” (Christian Hafström)
- Don’t show spinner without a TTY (eg piping to file)
v0.10.3 (released Jun 20th, 2019)
- Use [email protected] as sender for reports
- Added explicit check for vulnerable Mirasvit SEO code (cannot rely on version number)
- Vulnerable module check will ignore modules that have “patch” in the version number (for manual patches) (David Cermak, Chris Botman)
- Recognize Shopware 5 and 6 installations (Alan Morkan)
v0.10.2 (released Jun 13th, 2019)
- Hotfix to resolve not sending any reports in some cron setups
v0.10.1 (released Jun 13th, 2019)
- Major rewrite to support upcoming features
- HTML email reporting (Max Chadwick)
- Per-check reporting to allow more different checks in the future
- (Upstream) removed checks for vulnerable Mirasvit modules, because Mirasvit uses non-standard versioning which produced many FPs.
- Checks: “exposed database managers”, “magento sql injection”, “store identification”
--report <email>option will ALWAYS send a report (Max Chadwick)
- Store description in mail to distinguish multiple stores (Andreas von Studnitz)
- Module checks now report URL describing issue instead of vendor URL (where often, nothing was explained about severity of the issue).
- Database connection errors are now properly reported in the CLI (previously, only with
--verbose) (Martin Pachol)
--newonly/monitoroption will squelch output when run non-interactively (previously: always squelch)
- Restrict Magento SQL injection detection to M2, because no exploit is known for M1 yet.
- Fix: If scanpath is a file, always scan (regardless of
- Fix: allow DB connections with empty passwords (Jeroen Boersma)
--versionto help (Jeroen Boersma)
- Scan results include links to support pages
v0.9.35 (released May 15th, 2019)
- Added phone alerts for Advanced plans.
v0.9.34 (released May 9th, 2019)
- Added Slack integration for Advanced plans.
- Default timeout 5 -> 10 seconds
v0.9.33 (released May 8th, 2019)
--report(single run) options, deprecated
--reply-toto specify Reply-To address (for use with ticketing systems) (Brian Wade)
v0.9.32 (released Apr 11th, 2019)
- Show explicitly if a hit is malware or vulnerability in file scan
- Increased max scan size to 10MB to detect GoBrut StealthWorker
- Add hidden
--yarafile <path>option to support testing
- Add explicit warning if self-update fails (for example, ecomscan is not writable)
- Fix spinner output
v0.9.31 (released Mar 28th, 2019)
- Only report first (and most confident) malware hit per file / database source.
- Default confidence threshold changed from 1 to 50 (
--min-confidence) to reduce reporting of false positives.
- Keep state per scan path, not global (Robert Mangiafico)
v0.9.30 (released Mar 27th, 2019)
- Fix case where first whitelisted item would get flagged (Phil Stewkesbury)
- Add module path to cli output
v0.9.29 (released Mar 22nd, 2019)
- Also scan rogue newsletters for Froghopper attacks
- Fix scanning
cms_pagewhen theme is null
v0.9.28 (released Mar 15th, 2019)
- Also scan .php5 files (without
- Fixed error for directories with
- Only print database connection errors in verbose mode – usually caused by dev/staging configs.
- Only update when newer versions are available, facilitate experimental deploys.
v0.9.27 (released Mar 4th, 2019)
- Fall back to
/tmpif standard XDG runtime path fails (Rico Neitzel)
- Release uses gzip, not all systems have xz (Rico Neitzel)
- Fatal errors now properly use stderr
- Allows concurrent scans of distinct paths
v0.9.26 (released Feb 23rd, 2019)
- Fix: CPU & I/O priorities are now properly rescheduled
- Silent output when
v0.9.25 (released Feb 22nd, 2019)
- Feature: basic email reporting (
- Format: report individual checks
- Fixed duplicate help message (Ryan Hoerr)
- Removed short tag for rarely used options
v0.9.24 (released Feb 15th, 2019)
- Fixed corner case with Magento2 configs (Robert Mangiafico)
- Fixed handling unreadable symlinks (Robert Mangiafico)
v0.9.23 (released Feb 13th, 2019)
--maxsizeoption to skip large files (default: 1MiB). Use 0 to disable limit. Thanks to Peeter Marvet.
- Fix: better parsing of M2 configs. Thanks to Robert Mangiafico.
v0.9.22 (released Feb 11th, 2019)
- Fix crash when Github is unreachable (to update module signatures)
v0.9.21 (released Feb 9th, 2019)
os.Executable()error handling, as the error was due to UPX (executable compressor) which would use a temp file on older Linux systems. Removed UPX altogether.
v0.9.20 (released Feb 9th, 2019)
- Skip auto-updater altogether if
os.Executable()failed. Works unpredictably on CentOS.
v0.9.19 (released Feb 8th, 2019)
- Changed “json” into “jsonline” format, see http://jsonlines.org/ and https://stedolan.github.io/jq/
- Changed exit code to 100 if already running
v0.9.18 (released Feb 8th, 2019)
- Fix detection of M1 modules for which no safe version is known.
- Ensure only a single instance (per user) can be running, no need for
flockin cron. Exit code 1 if running.
- Enforce all regular output to stdout instead of stderr.
- Add “json” output format (1 JSON object/line per detection)
- Add ctime/mtime for malware files
v0.9.17 (released Feb 7th, 2019)
- Add git tags to build pipeline
v0.9.16 (released Feb 6th, 2019)
- Fix auto-updater on some systems (
os.Executable()doesn’t always work)
v0.9.15 (released Feb 4th, 2019)
- Removed “dark grey” color for debug messages as it doesnt show up on some terminals.
v0.9.14 (released Feb 4th, 2019)
- Add timestamp to CSV output.
- Show summary after scanning.
v0.9.13 (released Feb 1st, 2019)
- Fix: don’t crash on non-standard module xml configs
v0.9.12 (released Jan 31st, 2019)
- New build system
v0.9.11 (released Jan 30th, 2019)
- Added confidence threshold setting (default: report all)
- Added check for vulnerable modules.
v0.9.10 (released Jan 25th, 2019)
- Fixed field name for Magento2
- Fixed error message when path does not exist
- Fixed panic when M2
env.phpcould not be parsed
v0.9.9 (released Jan 25th, 2019)
- Implement XZ compression for signature data (800KB -> 98KB)
- Set low CPU & IO prios on Linux
- Add basic progress spinner for filescan
v0.9.8 (released Jan 24th, 2019)
- Fix auto updater (“text file busy”)
v0.9.7 (released Jan 23rd, 2019)
- Fix auto updater when run from other dir ($PATH)
v0.9.6 (released Jan 23rd, 2019)
- Support for multi level signature certainty, to allow test/suspicious rules. Force reporting of all rules with
- Whitelist support
- Resolve symlinks for root path
v0.9.5 (released Jan 22nd, 2019)
- Auto self-updater
- First public release