Will eComscan report all missing patches?
eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are actively exploited. There is no alerting for missing patches that only fix "theoretical flaws" (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. This behavior may change in the future though.
I have set up monitoring via cron but only got 1 mail?
It is the intended behaviour of --monitor to only send a mail when something has changed. If you want to always get an email report, change --monitor into --report.
I have set up monitoring via cron but I get mail every time?
Change --report into --monitor and you will only be notified whenever an new issue is found, or an old issue has been fixed.
How do I scan multiple folders / storefronts?
Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory).
I have patched a vulnerable extension, but it still flags red?
Our vulnerable module check uses version numbers, not code signatures. If you have manually patched a vulnerable module, you can add "-patch" to the version number (in Vendor/Module/etc/config.xml), so that eComscan will stop flagging it as vulnerable.
Can I use my eComscan license to scan staging/development servers?
Yes, you are allowed to use your license key on any store that shares the same primary domain name.
I always get this error: Could not download signature db.
Something seems wrong with your network configuration. You are either behind a very restrictive firewall, or you have IPv6 lookups enabled for DNS but IPv6 routing fails. You should ask your network administrator / ISP.
I get: Query failed, perhaps this is a dev/test db server that I cannot reach
eComscan uses the password for the database from your store configuration. Sometimes, it finds store configuration that is used in local or development servers, and cannot connect to these servers. If you suspect something else is wrong, please re-run ecomscan with the --verbose option and share the results with us.
Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?
- Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won't be able to take control of your site.
- There are several techniques that circumvent CSP, so it will only catch 99% of malware.
All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.