Congratulations for choosing the best eCommerce protection for your store! eComscan is a clever server-side scanner and monitoring solution. It can be run as a single scan, or in monitoring mode.
Intended audience
eComscan should be installed by a developer or a server administrator (such as your hosting provider). SSH access is required.
Are you using Magento Cloud? See these specific instructions.
Installation
eComscan runs on your production (Linux) servers. To install eComscan in $HOME/bin, log in via SSH and run:
curl -s https://install.sansec.io | bash
You can also manually install the scanner by downloading a version for Linux amd64, Linux ARM (AWS Graviton) or Apple Silicon (M1/M2 chips).
Run a single scan
Start a single scan, where you replace key with your license key, and base path with your store folder.
~/bin/ecomscan --report <your_email> <store_path>
If you have a license key, you can unlock detailed reporting by providing your key:
~/bin/ecomscan --key n8sFtfpWzz --report [email protected] /var/www/magento
eComscan performs an extensive file and database scan. The database credentials are taken from your store’s configuration files (such as local.xml). The scan should take 5-30 minutes (depending on the size of your store and the speed of your server) and then report how many issues were found. If that does not yield any surprises: congratulations! You can now install it in monitoring mode, see the next section.
Set up monitoring
In normal operation, you only want to get notified of relevant changes to your store. This is what monitoring does: eComscan runs continuously and alerts you on suspicious or insecure changes to your store. Log in via SSH and add a new cronjob using the “crontab -e” command. Then, add a new line, where you replace key, email and path with the correct values:
10 * * * * ~/bin/ecomscan --key <your_key> --monitor <your_email> <store_path>
eComscan will run at the lowest priority, so it will not affect the performance of your store. Should it find anything out of the ordinary, it will alert you via mail. It will not send you repeat alerts. However, you can always do a full scan with the --report option.
Are you hosted on Magemojo Stratus? Then you should enter the cronjob via the Magemojo cronjob web panel, as normal cronjobs are silently ignored. A sample Stratus cronjob command is:
/srv/bin/ecomscan --key <your_key> --monitor <your_email> /srv/public_html
Test your setup
If you want, you can add a “test malware” to your store and see if eComscan picks it up. Add this to a PHP or JS file, or to a CMS block or page in your database:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Got hacked?
In certain case, such as when responding to an incident, you should run eComscan in scrutinize mode. This will take a long time and may produce false positives, so the results should be carefully examined by you or your developer.
~/bin/ecomscan --key <your_key> --min-confidence=0 --deep <store_path>
This will also display lower confidence hits (such as obfuscated - but not always malicious - code) and scan all files, instead of only executable files. Do not add the deep scan to your cron, it will slow down your store!
Read more
This page was last updated at Jun 13th, 2023
