Can I use my eComscan license to scan staging/development servers?

Yes, you are allowed to use your license key on any store that shares the same primary domain name.

How does eComscan compare to the Magento Security Scan?

We are proud that Adobe has incorporated Sansec technology in its free Magento Security Scan. While Adobe provides a useful service, their free scan is not able to inspect your server-side code (PHP files, database). And this is where most malware is hidden. So you need a server-side solution such as eComscan to monitor private assets.

Second, the Magento Security Scan only scans for issues in the core Magento application. However, most stores are getting hacked through third party components (“extensions” or “modules”), so you need a scanner that will alert you to vulnerabilities in those components as well.

 eComscanfree Magento scan
Scans Javascript
Scans PHP code
Scans databases
Scans extensions

Can I use eComscan to scan multiple stores?

Standard eComscan licenses allow scanning and monitoring of a single store installation only. There are some exceptions:

  1. You may always scan staging and development copies that belong to the same store, without requiring an additional license.
  2. If you are an agency or service provider, we offer attractive volume pricing so you can protect all of your customers.

How does eComscan affect server load and resources?

eComscan will run at the lowest CPU & disk priority, so it will not affect the performance of your store. This is true for “scrutinize” mode (--deep) as well. eComscan will use at most 200MB of memory, which is a fraction of the capacity of a typical eCommerce server.

I have set up monitoring via cron but only got 1 mail?

It is the intended behaviour of --monitor to only send a mail when something has changed. If you want to always get an email report, change --monitor into --report

I have set up monitoring via cron but I get mail every time?

Change --report into --monitor and you will only be notified whenever an new issue is found, or an old issue has been fixed.

How do I set up monitoring for multiple e-mail addresses?

You can set up eComscan to send it’s reports to multiple e-mail addresses by adding the e-mails to a --report or --monitor flag, seperated by only a comma. Be sure to not add any spaces between the comma’s: ecomscan --monitor [email protected],[email protected],[email protected].

How do I scan multiple folders / storefronts?

Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory).

I have patched a vulnerable extension, but it still flags red?

Our vulnerable module check uses version numbers, not code signatures. If you have manually patched a vulnerable module, you can add -patch to the version number (in Vendor/Module/etc/config.xml), so that eComscan will stop flagging it as vulnerable.

Do I steel need a WAF if I use eComscan?

eComscan does not provide WAF-like functionality, and we recommend our customers to still use a WAF. As there are no Magento-optimized WAF services available today, any WAF will do (such as Cloudflare, Incapsula).

eComscan does help you find vulnerabilities in your store, before attackers even try to exploit them. So eComscan helpts to prevent hacks instead of having to respond to them.

I always get this error: Could not download signature db.

Something seems wrong with your network configuration. You are either behind a very restrictive firewall, or you have IPv6 lookups enabled for DNS but IPv6 routing fails. You should ask your network administrator / ISP.

I get: Query failed, perhaps this is a dev/test db server that I cannot reach

eComscan uses the password for the database from your store configuration. Sometimes, it finds store configuration that is used in local or development servers, and cannot connect to these servers. If you suspect something else is wrong, please re-run ecomscan with the --verbose option and share the results with us.

Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?

There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won’t stop your car from crashing. In essence, they restrict the Javascript that can be run on your site. 


  • Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won’t be able to take control of your site.


  • It can be costly to maintain. If your supplier’s Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
  • If you don’t use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
  • There are several techniques that circumvent CSP, so it will only catch 99% of malware.

All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.

Will eComscan report all missing patches?

eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are currently exploited or are likely to be exploited within the next 12 months. There is no alerting for missing patches that only fix “theoretical flaws” (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. An example are patches that fix security bugs that only apply to already-logged-in Magento staff (“authenticated privilege escalation”). NB. We may add full patch reporting in the future.

I have found a malware that eComscan did not identify?

We are sorry to hear that eComscan did not identify this instance. While our scanning technology identifies about 99.5% of all ecommerce malware, we cannot guarantee 100% coverage because criminal groups are continuously evolving their practices. Our team runs forensic cases across the globe and we are usually able to produce a signature within hours of a new malware release. But on a (very) rare occasion, a new strain may slip through, especially if it is uses obfuscation which is also used by many legitimate vendors.

Please share the specific malware with us, and we are happy to help you (free of charge) with your case.

Does eComscan require root access?

While eComscan runs on the server, it does not require root access, and can be run as any user, as long as it can read the store files and database.

Do you underwrite for any PCI fines?

PCI SSC deliberately remains vague about compliance for M1 stores, thereby shifting the risk to the merchant. As long as no security incident happens, there is no problem. But if an issue happens, it is up to the merchant to prove that s/he has implemented sufficient compensating controls. See also our blog about this subject.

We believe that our product provides by far the best available security for Magento stores today. However, it is not a magic bullet. For example, we cannot prevent abuse if a merchant accidentally leaks his/her Magento admin password, or one of the staff members becomes victim of a phishing campaign. We are able to limit and mitigate any damage, because our monitoring software will quickly alert you to any malicious activity on your store.

This page was last updated at Sep 24th, 2020

Need expert advice?

We are here to help!

Get in touch