A malware and vulnerability scanner
You run eComscan as an application on your (Linux) production server, either as single scan (scrutinize mode) or continuously as a monitor. It should really run on your server, because most malware (60%) is hidden there, either in the form of code, databases or processes. Many other security products (Detectify, Sucuri Sitecheck) will scan your server from the outside, and cannot inspect everything.
Upon every run, eComscan retrieves the latest signatures. These signatures are updated multiple times per week (sometimes per day) so you benefit from the latest threat intel.
In addition to a file scan, eComscan recognizes configurations of common shop systems (Magento, WooCommerce etc). When it finds one, it will use that configuration to connect to your database server. It then scans specific tables for malicious code. Because there are only a number of tables where criminals can inject executable code, the total number of scanned data is limited and the scan has no impact on the performance of your store.
eComscan also scans running processes. Hackers use malicious processes to intercept customer data, or as a backdoor to ensure future access. Malicious processes are also popular because they can run on servers that use read-only storage.
Scheduled task scan
eComscan also scans scheduled tasks (cron). Malicious cron tasks are often used to implement persistence.
eComscan incorporates a secure self-updater. If new checks or improvements are available, they are automatically installed. NB: make sure that the ecomscan program is writable, or otherwise auto-update will be skipped. Self-update may fail if the user running ecomscan differs from the user owning the ecomscan program. You can check by running:
ls -la `which ecomscan`
This should produce, for example:
$ ls -la `which ecomscan`
-rwxr-xr-x 1 app app /data/web/bin/ecomscan
uid=1000(app) gid=1000(app) groups=1000(app)
eComscan reports to the console (possibly in JSON/CSV format for automated parsing). When given the --report or --monitor options, it will email a report to you. With the --slack and --phone options, you can receive alerts via Slack or SMS (Advanced plan and up).
eComscan will match the license URL with configured URLs of the store. If any of the store URL frontends matches, it will continue. This enables you to run eComscan on dev & staging environments. This is actually recommended, because you will be able to catch vulnerabilities in an early stage.
In this article
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About Magecart