FAQ

For problems & solutions running eComscan, see troubleshooting.

Can I use my eComscan license to scan staging/development servers?

Yes, you are allowed to use your license key on any store that shares the same primary domain name.

How does eComscan compare to free Magento security scans?

While we are proud that Adobe has incorporated Sansec technology in its free Magento Security Scan, free scans have limited coverage. By their very nature, they can only scan publicly available assets (Javascript). However, most malware (65%) is hidden on the server in PHP code, databases or system processes. Or malware is hidden deep in your checkout flow, where a public scanner cannot go.

To cover the full attack surface, you need a white-box solution such as eComscan. Because it runs on your servers, it is able to inspect all components that are relevant to your transaction flow.

Second, the Magento Security Scan only scans for issues in the core Magento application. However, most stores are getting hacked through third party components (“extensions” or “modules”), so you need a scanner that will alert you to vulnerabilities in those components as well. eComscan is the only security solution in the world that tracks these vulnerabilities.

 eComscanfree scans
Scans Javascript
Scans PHP code
Scans databases
Scans extensions
Slack/phone alerts
Expert support
Frequencycontinuousdaily

Can I use eComscan to scan multiple stores?

Standard eComscan licenses allow scanning and monitoring of a single store installation only. There are some exceptions:

  1. You may always scan staging and development copies that belong to the same store, without requiring an additional license.
  2. If you are an agency or service provider, we offer attractive volume pricing so you can protect all of your customers.

How does eComscan affect server load and resources?

eComscan will run at the lowest CPU & disk priority, so it will not affect the performance of your store. This is true for “scrutinize” mode (--deep) as well. eComscan will use at most 200MB of memory, which is a fraction of the capacity of a typical eCommerce server.

How do I set up monitoring for multiple e-mail addresses?

You can set up eComscan to send its reports to multiple e-mail addresses by adding the e-mails to a --report or --monitor flag, seperated by only a comma. Be sure to not add any spaces between the comma’s: ecomscan --monitor [email protected],[email protected],[email protected].

How do I scan multiple folders / storefronts?

Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory). See also our instructions for scanning cluster environments.

Do I still need a WAF if I use eComscan?

eComscan does not provide WAF-like functionality, and we recommend our customers to use one. As there are no Magento-optimized WAF services available today, any WAF will do (such as Cloudflare, Incapsula).

eComscan does help you find vulnerabilities in your store, before attackers even try to exploit them. So eComscan helps to prevent hacks instead of having to respond to them.

What do the timestamps in an eComscan report mean?

eComscan reports two relevant timestamps for detections. All timestamps are shown using the standard GMT (UTC) time zone.

  • ctime: Typically this indicates the date that the file was moved or created. On Linux, this timestamp cannot be tampered with by a regular user and may therefore be an important indicator for when malicious activity happened. However, the ctime may be reset during a legitimate release.
  • mtime: This indicates the last modification date of the file. This can be easily spoofed by an attacker, which often happens, so it should be used with caution.

Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?

There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won’t stop your car from crashing. In essence, they restrict the Javascript that can be run on your site. 

Pro:

  • Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won’t be able to take control of your site.

Con:

  • It can be costly to maintain. If your supplier’s Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
  • If you don’t use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
  • There are several techniques that circumvent CSP, so it will only catch 99% of malware.

All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.

Will eComscan report all missing patches?

eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are currently exploited or are likely to be exploited within the next 12 months. There is no alerting for missing patches that only fix “theoretical flaws” (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. An example are patches that fix security bugs that only apply to already-logged-in Magento staff (“authenticated privilege escalation”). NB. We may add full patch reporting in the future.

Does eComscan require root access?

While eComscan runs on the server, it does not require root access, and can be run as any user, as long as it can read the store files and database.

Do you underwrite for any PCI fines?

PCI SSC deliberately remains vague about compliance for M1 stores, thereby shifting the risk to the merchant. As long as no security incident happens, there is no problem. But if an issue happens, it is up to the merchant to prove that s/he has implemented sufficient compensating controls. See also our blog about this subject.

We believe that our product provides by far the best available security for Magento stores today. However, it is not a magic bullet. For example, we cannot prevent abuse if a merchant accidentally leaks his/her Magento admin password, or one of the staff members becomes victim of a phishing campaign. However, we are able to limit and mitigate any damage for you, because our monitoring software will quickly alert you to any malicious activity on your store.

This page was last updated at Dec 8th, 2020

Need expert advice?

We are here to help!

Get in touch