eComscan usage
by Team Sansec
Published in Guides
Scan your store in a few clicks. Running a basic scan is free and does not require registration. It should be run by a developer or server admin.
Automatic scan
eComscan runs on your production (Linux) servers. Log in via SSH and use the following command to start a scan of your store (it will run this script):
curl https://ecomscan.com | sh
Manual scan
You can manually install the scanner by downloading a version for Linux amd64, Linux ARM (AWS Graviton) or Apple Silicon (M1/M2 chips). For example, run this:
mkdir -p ~/bin
curl https://ecomscan.com/downloads/linux-amd64/ecomscan -o ~/bin/ecomscan
chmod 755 ~/bin/ecomscan
Start a single scan:
~/bin/ecomscan --report=your@email /path/to/store/root/folder
If you have a license key (get it here), you can unlock detailed reporting by providing your key, for example:
~/bin/ecomscan --key=n8sFtfpWzz [email protected] /var/www/magento
eComscan performs an extensive file, database, process and task scan. The database credentials are taken from your store's configuration files (such as env.php). The scan takes about 5-30 minutes (depending on the size of your store and the speed of your server) and will report any found malware or vulnerabilities. If that does not yield any surprises: congratulations! You can now install it in monitoring mode, see the next section.
Set up monitoring
Most operations teams only want to get notified when something important happens to their store. This is what exactly the purpose of eComscan monitoring: to run continuously and alert you on suspicious or insecure changes to your store. Log in via SSH and add a new cronjob using the crontab -e command. Then, add a new line, where you replace key, email and path with the correct values:
10 * * * * ~/bin/ecomscan --key=<your_key> --monitor=<your_email> <store_path>
eComscan will run at the lowest priority, so it will not affect the performance of your store. Should it find anything out of the ordinary, it will alert you via mail. It will not send you repeat alerts.
Do you want to receive periodic reports, regardless of what was found? Some of our customers add a weekly scan using the --report option to their cron, which will always send a report.
Are you using Adobe Cloud? See these specific instructions.
Are you hosted on Webscale Stratus? Then you should enter the cronjob via the Stratus Cronjob web panel, as normal cronjobs are silently ignored. A sample Stratus cronjob command is:
/srv/bin/ecomscan --key <your_key> --monitor <your_email> /srv/public_html
Test your setup
If you want, you can add a "test malware" to your store and see if eComscan picks it up. Add this to a PHP or JS file, or to a CMS block or page in your database:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Got hacked?
In certain case, such as when responding to an incident, you should run eComscan in scrutinize mode. This will take a long time and may produce false positives, so the results should be carefully examined by you or your developer.
~/bin/ecomscan --key <your_key> --min-confidence=0 --deep <store_path>
This will also display lower confidence hits (such as obfuscated - but not always malicious - code) and scan all files, instead of only executable files. Do not add the deep scan to your cron, it will slow down your store!
Online reports
A full eComscan report can be viewed and shared online (demo here). Reports are kept for a maximum of 6 months. If you don’t want to use online reports, you can use the --skip-dashboard option in your eComscan command. Please note that this is incompatible with the --monitor and --report options.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec Watch
