Install eComscan on Adobe Commerce Cloud
by Sansec
Published in Guides
eComscan is the ideal solution for malware detection and prevention on Adobe Commerce Cloud
Adobe Commerce Cloud lacks server-level malware detection capabilities, so it is essential to use a third-party security solution to protect your store and maintain PCI DSS compliance.
eComscan is specifically designed for Adobe Commerce Cloud environments and protects your store against malware and other security threats. It satisfies PCI DSS requirements for malware prevention and detection (sections 5.1, 5.2 and 5.3) and integrates perfectly with Adobe's cloud infrastructure. The installation process would take your development team just a few minutes.
Key benefits for Adobe Commerce Cloud users:
- Real-time malware detection and prevention
- Best coverage against emerging threats
- PCI DSS 4 section 5 compliance
- Zero performance impact
- Quick and easy deployment
- Continuous protection through automated updates
Setup
See the general instructions for running ecomscan for the first time.
Adobe Commerce Cloud has read-only storage, which is good practice from a security perspective. However, since eComscan uses auto-update to always have the latest detection capabilities, eComscan needs to be installed on a writable partition of your server. For Adobe Cloud, this is /mnt/shared/. Install eComscan using these commands:
mkdir -p /mnt/shared/$LOGNAME/sansec
curl https://sansec.io/downloads/linux-$(uname -m)/ecomscan -o /mnt/shared/$LOGNAME/sansec/ecomscan
chmod 755 /mnt/shared/$LOGNAME/sansec/ecomscan
Then, add a custom cron job as described here to your .magento.app.yaml file, see next section.
Adobe Cloud monitoring
We recommend to:
- Install ecomscan on the first node of your production environment.
- Run a daily scan for all files (path:
/app/$LOGNAME). For a large store, this scan may take up to an hour. - Run an hourly scan for your database assets (path:
/app/$LOGNAME/app/etc/env.php). Because only selected tables are scanned, this scan is completely unobtrusive.
Summing up, adding eComscan to your .magento.app.yaml file may look like this:
crons:
ecomscanhourly:
spec: "10 * * * *"
cmd: "/mnt/shared/$LOGNAME/sansec/ecomscan --key YOURKEY --monitor YOUR@EMAIL.COM /app/$LOGNAME/app/etc/env.php"
ecomscandaily:
spec: "40 1 * * *"
cmd: "/mnt/shared/$LOGNAME/sansec/ecomscan --key YOURKEY --monitor YOUR@EMAIL.COM /app/$LOGNAME"
Safely storing eComscan key
While exposure of your license key would not expose your data (it would merely give access to our signature feed), we do recommend to treat it as any other secret and keep it separate from your source repo.
You can store the secret key outside of your repo root, for example in /mnt/shared/$LOGNAME/sansec/license.txt and access it like this:
/mnt/shared/$LOGNAME/sansec/ecomscan -k $(cat /mnt/shared/$LOGNAME/sansec/license.txt) /app/$LOGNAME
In this article
Realtime store protection?
Try Sansec Shield! No more stressing to install patches on a Friday afternoon. The most advanced WAF for Magento stores gives you peace of mind.
Sansec Shield
