FAQ

For problems & solutions running eComscan, see troubleshooting.

Can I use my eComscan license to scan staging/development servers?

Yes, you are allowed to use your license key on any store that shares the same primary domain name.

How does eComscan compare to free Magento security scans?

While we are proud that Adobe has incorporated Sansec technology in its free Magento Security Scan, free scans have limited coverage. By their very nature, they can only scan publicly available assets (Javascript). However, most malware (65%) is hidden on the server in PHP code, databases or system processes. Or malware is hidden deep in your checkout flow, where a public scanner cannot go.

To cover the full attack surface, you need a white-box solution such as eComscan. Because it runs on your servers, it is able to inspect all components that are relevant to your transaction flow.

Second, the Magento Security Scan only scans for issues in the core Magento application. However, most stores are getting hacked through third party components (“extensions” or “modules”), so you need a scanner that will alert you to vulnerabilities in those components as well. eComscan is the only security solution in the world that tracks these vulnerabilities.

Can I use eComscan to scan multiple stores?

Standard eComscan licenses allow scanning and monitoring of a single store installation only. There are some exceptions:

1. You may always scan staging and development copies that belong to the same store, without requiring an additional license.
2. If you are an agency or service provider, we offer attractive volume pricing so you can protect all of your customers.

Does eComscan run along New Relic?

Absolutely, they do not affect each others functioning. Many of our customers use New Relic.

Does eComscan run along Fastly?

99% of eComscan checks are performed server-side and do not interact with Fastly servers. However, some checks, such as “exposed backup archives”, require access to the public facing site. These requests are typically not blocked by the Fastly WAF, unless the public IP of the web server is blocked by Fastly for some other reason. You can run eComscan manually with the --verbose flag the first time to verify whether this is the case.

How does eComscan affect server load and resources?

eComscan was designed to run transparently on any eCommerce server. eComscan runs at the lowest CPU & disk priority. This means that eComscan only uses idle capacity, so it does not affect the performance of your store. This is true for “scrutinize” mode (--deep) as well. eComscan will use at most 200MB of memory, which is a tiny fraction of the capacity of a typical eCommerce server.

Are you running a cluster setup with network (NFS) storage (for example, for the media folder)? See our Advanced Scanning section for possible optimizations.

How do I set up monitoring for multiple e-mail addresses?

You can set up eComscan to send its reports to multiple e-mail addresses by adding the e-mails to a --report or --monitor flag, seperated by only a comma. Be sure to not add any spaces between the comma’s: ecomscan --monitor [email protected],[email protected],[email protected].

How do I scan multiple folders / storefronts?

Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory). See also our instructions for scanning cluster environments.

Do I still need a WAF if I use eComscan?

eComscan does not provide WAF-like functionality, and we recommend our customers to use one. As there are no Magento-optimized WAF services available today, any WAF will do (such as Cloudflare, Incapsula).

eComscan does help you find vulnerabilities in your store, before attackers even try to exploit them. So eComscan helps to prevent hacks instead of having to respond to them.

What do the timestamps in an eComscan report mean?

eComscan reports two relevant timestamps for detections. All timestamps are shown using the standard GMT (UTC) time zone.

• ctime: Typically this indicates the date that the file was moved or created. On Linux, this timestamp cannot be tampered with by a regular user and may therefore be an important indicator for when malicious activity happened. However, the ctime may be reset during a legitimate release.
• mtime: This indicates the last modification date of the file. This can be easily spoofed by an attacker, which often happens, so it should be used with caution.

Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?

There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won’t stop your car from crashing. In essence, they restrict the Javascript that can be run on your site. 

Pro:

• Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won’t be able to take control of your site.

Con:

• It can be costly to maintain. If your supplier’s Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
• If you don’t use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
• There are several techniques that circumvent CSP, so it will only catch 99% of malware.

All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.

Will eComscan report all missing patches?

eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are currently exploited or are likely to be exploited within the next 12 months. There is no alerting for missing patches that only fix “theoretical flaws” (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. An example are patches that fix security bugs that only apply to already-logged-in Magento staff (“authenticated privilege escalation”). NB. We may add full patch reporting in the future.

Does eComscan require root access?

While eComscan runs on the server, it does not require root access, and can be run as any user, as long as it can read the store files and database.

Do you underwrite for any PCI fines?

PCI SSC deliberately remains vague about compliance for M1 stores, thereby shifting the risk to the merchant. As long as no security incident happens, there is no problem. But if an issue happens, it is up to the merchant to prove that s/he has implemented sufficient compensating controls. See also our blog about this subject.

We believe that our product provides by far the best available security for Magento stores today. However, it is not a magic bullet. For example, we cannot prevent abuse if a merchant accidentally leaks his/her Magento admin password, or one of the staff members becomes victim of a phishing campaign. However, we are able to limit and mitigate any damage for you, because our monitoring software will quickly alert you to any malicious activity on your store.

Do you also scan on the OS or platform level?

The compromise of a store via vulnerabilities in the OS is extremely rare, in fact we have not seen any of such incidents in the past 8 years and thousands of investigations. That is why we developed eComscan with a laser-sharp focus on Magento itself (and periphery, such as 3rd party extensions!).

Still, it is possible that an OS level hack would happen one day. This is typically the responsibility of the ISP and we recommend to follow best security practices, most importantly a) always run a supported version of the OS and b) ensure to enable auto-installation of security updates. With these measures in place, an OS scan will not add much value, but if you still want one, we can recommend the generic scanner from Acunetix

Does Sansec provide penetration testing (pen tests) ?

Sansec focuses on whitebox analysis (i.e. code inspection) as opposed to behavioral analysis (i.e. blackbox or pen testing). The reason for this is that whitebox analysis is much more accurate and comprehensive. Blackbox testing isn’t able to examine all application paths, for example when certain privileges or conditions are required.

Another reason is that blackbox testing typically requires thousands of server requests, which negatively impacts store performance. Whitebox testing doesn’t affect server performance and can therefore run continuously, while proper blackbox testing can only be executed incidentally.

Because Sansec provides test signatures for all known Magento attack vectors, our coverage is typically 100%. The only exception is when you have developed custom code for your store. In that case we would recommend to hire a Magento agency for a code audit. See our partner section for recommended agencies.

If your payment service provider requires a pen test, we would recommend to engage one of our security consultancy partners.

What confidence level should be chosen?

eComscan employs a suite of detection patterns, some of which have a low confidence levels. These low confidence signatures can be very useful in case of an incident, but are generally weak indicators & potentially yield false positive detections. Our recommendation is to use the default confidence threshold (=50) for monitoring scans. In case of an incident, our recommendation is to run a deep scan with --min-confidence=0 --deep. As some detections will potentially be false positive, results must be properly verified to assess if the detected files/database fields contain malicious code.