For problems & solutions running eComscan, see troubleshooting.
Can I use my eComscan license to scan staging/development servers?
Yes, you are allowed to use your license key on any store that shares the same primary domain name.
How does eComscan compare to free Magento security scans?
To cover the full attack surface, you need a white-box solution such as eComscan. Because it runs on your servers, it is able to inspect all components that are relevant to your transaction flow.
Second, the Magento Security Scan only scans for issues in the core Magento application. However, most stores are getting hacked through third party components (“extensions” or “modules”), so you need a scanner that will alert you to vulnerabilities in those components as well. eComscan is the only security solution in the world that tracks these vulnerabilities.
|Scans PHP code||✔||✗|
Can I use eComscan to scan multiple stores?
Standard eComscan licenses allow scanning and monitoring of a single store installation only. There are some exceptions:
- You may always scan staging and development copies that belong to the same store, without requiring an additional license.
- If you are an agency or service provider, we offer attractive volume pricing so you can protect all of your customers.
How does eComscan affect server load and resources?
eComscan will run at the lowest CPU & disk priority, so it will not affect the performance of your store. This is true for “scrutinize” mode (
--deep) as well. eComscan will use at most 200MB of memory, which is a fraction of the capacity of a typical eCommerce server.
How do I set up monitoring for multiple e-mail addresses?
You can set up eComscan to send its reports to multiple e-mail addresses by adding the e-mails to a
--monitor flag, seperated by only a comma. Be sure to not add any spaces between the comma’s:
ecomscan --monitor [email protected],[email protected],[email protected].
How do I scan multiple folders / storefronts?
Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory). See also our instructions for scanning cluster environments.
Do I still need a WAF if I use eComscan?
eComscan does not provide WAF-like functionality, and we recommend our customers to use one. As there are no Magento-optimized WAF services available today, any WAF will do (such as Cloudflare, Incapsula).
eComscan does help you find vulnerabilities in your store, before attackers even try to exploit them. So eComscan helps to prevent hacks instead of having to respond to them.
What do the timestamps in an eComscan report mean?
eComscan reports two relevant timestamps for detections. All timestamps are shown using the standard GMT (UTC) time zone.
ctime: Typically this indicates the date that the file was moved or created. On Linux, this timestamp cannot be tampered with by a regular user and may therefore be an important indicator for when malicious activity happened. However, the ctime may be reset during a legitimate release.
mtime: This indicates the last modification date of the file. This can be easily spoofed by an attacker, which often happens, so it should be used with caution.
Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?
- Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won’t be able to take control of your site.
- There are several techniques that circumvent CSP, so it will only catch 99% of malware.
All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.
Will eComscan report all missing patches?
eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are currently exploited or are likely to be exploited within the next 12 months. There is no alerting for missing patches that only fix “theoretical flaws” (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. An example are patches that fix security bugs that only apply to already-logged-in Magento staff (“authenticated privilege escalation”). NB. We may add full patch reporting in the future.
Does eComscan require root access?
While eComscan runs on the server, it does not require root access, and can be run as any user, as long as it can read the store files and database.
Do you underwrite for any PCI fines?
PCI SSC deliberately remains vague about compliance for M1 stores, thereby shifting the risk to the merchant. As long as no security incident happens, there is no problem. But if an issue happens, it is up to the merchant to prove that s/he has implemented sufficient compensating controls. See also our blog about this subject.
We believe that our product provides by far the best available security for Magento stores today. However, it is not a magic bullet. For example, we cannot prevent abuse if a merchant accidentally leaks his/her Magento admin password, or one of the staff members becomes victim of a phishing campaign. However, we are able to limit and mitigate any damage for you, because our monitoring software will quickly alert you to any malicious activity on your store.
Do you also scan on the OS or platform level?
The compromise of a store via vulnerabilities in the OS is extremely rare, in fact we have not seen any of such incidents in the past 8 years and thousands of investigations. That is why we developed eComscan with a laser-sharp focus on Magento itself (and periphery, such as 3rd party extensions!).
Still, it is possible that an OS level hack would happen one day. This is typically the responsibility of the ISP and we recommend to follow best security practices, most importantly a) always run a supported version of the OS and b) ensure to enable auto-installation of security updates. With these measures in place, an OS scan will not add much value, but if you still want one, we can recommend the generic scanner from Acunetix
What confidence level should be chosen?
eComscan employs a suite of detection patterns, some of which have a low confidence levels. These low confidence signatures can be very useful in case of an incident, but are generally weak indicators & potentially yield false positive detections. Our recommendation is to use the default confidence threshold (=50) for monitoring scans. In case of an incident, our recommendation is to run a deep scan with
--min-confidence=0 --deep. As some detections will potentially be false positive, results must be properly verified to assess if the detected files/database fields contain malicious code.
This page was last updated at Mar 24th, 2021