Note
This ImunifyAV documentation is applicable for cPanel and DirectAdmin control panels only.
ImunifyAV provides malware scanning features for cPanel and DirectAdmin control panels.
Operating systems
Virtualization
Hardware
Supported hosting panels
Required browsers
Warning
On DirectAdmin, Imunify UI requires the proc_open
PHP function to be enabled. If you are unable to open the Imunify UI, you might see a related message in the errror.log
of the web-server. If so, please remove it from the disable_functions
list in php.ini
.
To install ImunifyAV proceed the following steps:
Log in with root privileges to the server where ImunifyAV should be installed.
Go to your home directory and run the commands:
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh
To install ImunifyAV beta version add argument --beta
. For example:
bash imav-deploy.sh --beta
If you already have ImunifyAV+ license key you can use it during installation:
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh --key YOUR_KEY
where YOUR_KEY
is your license key. Replace YOUR_KEY
with the actual key purchased at https://www.imunify360.com/.
If you have an IP-based license for ImunifyAV+, use IPL as license key:
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh --key IPL
To view available options for installation script run:
bash imav-deploy.sh -h
In a case of registration key is passed later, then you can register an activation key via the imunify-antivirus
command:
imunify-antivirus register YOUR_KEY
Where YOUR_KEY
is your activation key or IPL in case of IP-based license.
To upgrade ImunifyAV run the command:
yum update imunify-antivirus
To update ImunifyAV beta version run the command:
yum update imunify-antivirus --enablerepo=imunify360-testing
To update ImunifyAV on Ubuntu run the command:
apt-get update
apt-get install --only-upgrade imunify-antivirus
To update ImunifyAV beta on Ubuntu 16.04 LTS run the command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/16.04/ xenial main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify-antivirus
To update ImunifyAV beta on Ubuntu 18.04 run the command:
echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/18.04/ bionic main' > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify-antivirus
If you do not want to receive updates from beta, remove beta repository:
rm /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
New stable ImunifyAV versions are scheduled for the gradual roll-out from our production repository and are available for all customers in about two weeks or less from the release.
If you do not want to wait for the gradual roll-out, you can update ImunifyAV to the latest version by running the following commands:
wget https://repo.imunify360.cloudlinux.com/defence360/imunify-force-update.sh
bash imunify-force-update.sh
To uninstall ImunifyAV, run the command:
bash imav-deploy.sh --uninstall
If you have already removed imav-deploy.sh
then download it by running:
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
And proceed to the directory with the script.
For CentOS/CloudLinux OS 6, run the following command:
service imunify-antivirus stop
For all other operating systems, run the following command:
systemctl stop imunify-antivirus
ImunifyAV supports the following languages in addition to default (en-US):
Contact ImunifyAV support to request the latest language file.
The file is actually in JSON format, which values are the translation.
We use this syntax to translate plurals and other dynamic content: https://messageformat.github.io/messageformat/page-guide
Note, that you can use it to provide translation for each plural case in your language: http://www.unicode.org/cldr/charts/latest/supplemental/language_plural_rules.html
You can use this tool to simplify the process: https://translation-manager-86c3d.firebaseapp.com/
Send the translated version to us and we will gladly include it in one of the nearest releases of ImunifyAV.
Click ImunifyAV in the main menu. There are following tabs in ImunifyAV hoster interface:
Go to ImunifyAV → Users tab. Here, there is a table with a list of users on the server, except users with root privileges.
![]() |
---|
ImunifyAV → Users tab |
The table has the following columns:
Note
Cleaning up all files of all users and scanning all files is available in ImunifyAV+. To upgrade to ImunifyAV+, click Upgrade to ImunifyAV+ , you will be redirected to the ImunifyAV+ upgrade page. Or click Cleanup all button, you will be redirected to the ImunifyAV+ upgrade page.
The badge in the History tab shows the number of missed events in the Malware Scanner’s History.
The following filters are available:
Items per page displayed — click the number at the table bottom.
The table can be sorted by User name and Infection status (by the date of the last action).
Go to ImunifyAV → Files tab. Here, there is a table with a list of infected files within all domains and user accounts.
![]() |
---|
ImunifyAV → Files tab |
The table has the following columns:
SMW-SA-05155-wshll
– in this Signature ID:
SMW
or CMW
. SMW
stands for Server Malware and CMW
stands for Client MalwareINJ
or SA
. INJ
stands for Injection (means Malware is Injected to some legitimate file) and SA
stands for StandAlone (means File is Completely Malicious)05155
. This is simply an identification number for the signature.wshll/mlw.wp/etc
explains the category and class of malware identified. Here, wshll
stands for web shell (mlw
stands for malware).0
, which provides the version number of the signature.To perform a bulk action, tick required users and click the corresponding button above the table.
Warning
Starting from ImunifyAV(+) v.5.5, the Delete permanently option is available only via CLI. It will be removed completely in ImunifyAV(+) v.5.9. For more information see this blog post.
Note
Cleaning up all files of all users is available in the ImunifyAV+. To upgrade to the ImunifyAV+, click Upgrade to ImunifyAV+, you will be redirected to ImunifyAV+ upgrade page. Or click Cleanup all button, you will be redirected to the ImunifyAV+ upgrade page.
The following filters are available:
The table can be sorted by detection date (detected), user name, file path (file), reason, and status.
Malware scanner allows users to scan a specific directory or file for malware. Go to ImunifyAV → Scan tab. Then proceed the following steps:
/
.
It is possible to use Advanced settings:*.php
- all the files with the extension php). The default setting is *
which means all files without restriction.*.html
will ignore all files with the extension html).Note
If ImunifyAV is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.
![]() |
---|
ImunifyAV → Scan tab |
At the top right corner scanning progress and status are displayed:
![]() |
---|
ImunifyAV → Scan tab |
When scanning is completed, the results are shown in the table below with the following information:
![]() |
---|
ImunifyAV → Scan table |
The following filters are available:
Timeframe — displays the results filtered by chosen period or date. To review and manage suspicious files go to the Files tab.
The table can be sorted by Date, Path, Total files, and Result.
![]() |
---|
Scan table → Filter |
The History tab contains data of all actions for all files. Go to ImunifyAV → History tab. Here, there is a table with a list of files within all domains.
![]() |
---|
ImunifyAV → History tab |
The table has the following columns:
The table can be sorted by Date, Path to File, Cause, and Owner.
The Ignore List tab contains the list of files that are excluded from Malware Scanner scanning. Go to ImunifyAV → Ignore List tab. Here, there is a table with a list of files within all domains.
![]() |
---|
ImunifyAV → Ignore list tab |
The table has the following columns:
The following filters are available:
Timeframe — displays the results filtered by chosen period or date. Items per page displayed — click the number at the table bottom. Path – displays the results filtered by a path in a direct or reverse alphabetical order.
The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.
Features Management tab allows to enable or disable ImunifyAV features for each customer. Go to ImunifyAV → Features Management tab.
![]() |
---|
ImunifyAV → Features Management tab |
To enable Malware Cleanup feature for new users by default, move the Malware Cleanup slider.
The table has the following columns:
To perform a bulk action, tick required users and move the Malware Cleanup slider at the table header. Confirm the action on the confirmation popup.
Note
Reputation Management is available in ImunifyAV+ only.
Reputation Management is an analyzing and notifying tool intended to inform about websites blocking and blacklisting.
Choose Reputation Management in the main menu of the ImunifyAV+ user interface to get to the Reputation Management page.
Reputation Management allows to check if a domain registered on your server is safe or not based on the following reputation engines:
How does it work:
If a domain or an IP is blocked, then this information will be available in the table below. If a user’s website appears in this table, then it would be useful to send this link to the user. This instruction can help to solve problems with the domain.
At the top of the page (also in the main menu near Reputation Management item), ImunifyAV+ shows the number of affected domains. This number is a quantity of affected domains that exist on the server.
The table shows:
![]() |
---|
ImunifyAV → Reputation Management |
Click link icon in the Action column to copy the URL to the clipboard.
Note
Reputation Management online and browser look may differ. This is because Google Safe Browsing has an issue described on github.
Go to ImunifyAV → Settings tab to set up the behaviour of ImunifyAV scanner. Here you can configure the following: Resource consumption General Background Scanning Malware Cleanup Error reporting
Go to ImunifyAV → Settings tab to set up the behaviour of ImunifyAV scanner. Here you can configure the following:
![]() |
---|
ImunifyAV → Settings → Resource consumption |
CPU consumption – enables to set a level of CPU usage by Malware Scanner.
Note
Low CPU usage means low scanning speed
I/O consumption – enables to set a level of I/O usage by Malware Scanner.
Note
Low I/O usage means low scanning speed
Note
If ImunifyAV is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.
![]() |
---|
ImunifyAV → Settings → General |
Tick required checkboxes and click the Save changes button.
Allows to set up automatic, scheduled, background scanning of user accounts.
Note
The Daily
and Weekly
options are available for ImunifyAV+ and Imunify360 only.
![]() |
---|
ImunifyAV → Settings → Background Scanning |
![]() |
---|
ImunifyAV → Settings → Background Scanning |
Depending on the selected period, precise settings.
![]() |
---|
ImunifyAV → Settings → Malware Cleanup |
Tick the Enable Sentry error reporting checkbox to send reports to ImunifyAV error reports server.
![]() |
---|
ImunifyAV → Settings → Error reporting |
To upgrade to ImunifyAV+ click Upgrade Imunify button, upgrade page opens.
To upgrade, click Buy Now button, you will be redirected to the purchase page. Or activate the product using an activation key if you already have one.
The user side is hidden by default and can be enabled by executing the following command:
/usr/share/av-userside-plugin.sh
To disable it back, run:
/usr/share/av-userside-plugin.sh -r
Click ImunifyAV in the main menu. There are following tabs in ImunifyAV end user interface:
Go to ImunifyAV → Files tab. Here, there is a table with a list of infected files.
![]() |
---|
ImunifyAV Hoster UI → Files tab |
The table has the following columns:
SMW-SA-05155-wshll
– in this Signature ID:
SMW
or CMW
. SMW
stands for Server Malware and CMW
stands for Client MalwareINJ
or SA
. INJ
stands for Injection (means Malware is Injected to some legitimate file) and SA
stands for StandAlone (means File is Completely Malicious)05155
. This is simply an identification number for the signature.wshll/mlw.wp/etc
explains the category and class of malware identified. Here, wshll
stands for web shell (mlw
stands for malware).0
, which provides the version number of the signature.To perform a bulk action, tick required users and click the corresponding button above the table.
If a user is allowed by the administrator to run a scan at any time on his own, he can see the Start scanning button.
The following filters are available:
The table can be sorted by detection date (Detected), file path (File), Reason, and Status.
![]() |
---|
ImunifyAV+ End User UI → Files tab |
If a user is allowed by an administrator to scan his files, he can see the Start scanning button. See also: How to enable/disable the "Start scanning" button for ImunifyAV\AV+.
History tab contains data of all actions for all files. Go to ImunifyAV → History tab. Here, there is a table with a list of files.
The table has the following columns:
The table can be sorted by Date, Path to File, Cause, and Owner.
The table has the following columns:
Ignore List tab contains the list of files that are excluded from Malware Scanner scanning. Go to ImunifyAV → Ignore List tab. Here, there is a table with a list of files.
The table has the following columns:
The following filters are available:
The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.
Hooks are introduced as a script-based interface for various application events. This is a simple and effective way to automate ImunifyAV alerts and event processing. For example, an administrator can have ImunifyAV calling his own script when malicious files are detected or misconfigurations are detected and perform a custom processing or specific actions, for example, create a ticket. Hooks are available only via CLI.
Requirements
Start using hooks with three simple steps:
imunify-antivirus hook add --event <event name> --path </path/to/hook_script>
agent
malware-scanning
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"home":"/home/a/abdhf/",
"user":"abdhf",
"type":"background",
"scan_params": {"file_mask":"*", "follow_symlinks":"true", "ignore_mask":"", "intensity":"low"}
}
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"home":"/home/a/abdhf/",
"user":"abdhf",
"started":1587365282,
"total_files":873535,
"total_malicious":345,
"errors":[],
"status":"ok",
"type":"background",
"scan_params": {"file_mask":"*", "follow_symlinks":"true", "ignore_mask":"", "intensity":"low"}
}
imunify-antivirus malware malicious list --by-scan-id=... --json
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"path":"/home/a/abdhf/",
"username":["imunify"],
"started":1587365282,
"total_files":873535,
"total_malicious":345,
"errors":[],
"files":[
{
"username":"imunify",
"hash":"17c1dd3659578126a32701bb5eaccecc2a6d8307d8e392f5381b7273bfb8a89d",
"size":"182",
"cleaned_at":1553762878.6882641,
"extra_data":{
},
"malicious":true,
"id":32,
"status":"cleanup_removed",
"file":"/home/imunify/public_html/01102018_2.php",
"type":"SMW-INJ-04174-bkdr",
"scan_type":"on-demand",
"Created":1553002672
},
{
"username":"imunify",
"hash":"04425f71ae6c3cd04f8a7f156aee57096dd658ce6321c92619a07e122d33bd32",
"size":"12523",
"cleaned_at":1553762878.6882641,
"extra_data":{
},
"malicious":true,
"id":33,
"status":"cleanup_done",
"file":"/home/imunify/public_html/22.js",
"type":"SMW-INJ-04346-js.inj",
"scan_type":"on-demand",
"Created":1553002672
},
...
}
Note
All results can be saved in a temporary file before handler invocation and then remove the file after the event is being processed
imunify-antivirus malware malicious list --by-scan-id=... --json
. See malware-detected hook section for details.{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"started":1587365282,
"total_files":873535,
"total_cleaned":872835,
"tmp_filename":”/var/imunify/tmp/hooks/tmp_02q648234692834698456728439587245.json”,
"errors":[],
"status":"ok"
}
The following CLI command is used to manage hooks:
imunify-antivirus hook [command] --event [event_name|all] [--path </path/to/hook_script>]
The following commands are supported:
The third parameter event_name defines a particular event that invokes a registered handler as opposed to all keyword.
The fourth parameter /path/to/hook_script
shall contain a valid path to a handler of the event, it shall be any executable or Python Native event handlers that agent will run upon a registered event.
Native
Native hook is a script written on Python 3.5 and allows to quickly process events. The Python file should contain only one method that customer would implement:
def im_hook(dict_param):
….
pass
where dict_param
would hold the same data as JSON that non-Native hook will gate.
Log File
You can see all hook data in the log file. It is located at /var/log/imunify360/hook.log . When the event comes, the data is recorded to the log file in the following format:
timestamp event : id : started [native:] name : subtype : script_path
Once the listener is done, the data is recorded to the log file in the following format:
timestamp event : id : done [native:] script_path [OK|ERROR:code]
In case of an error, you can see the error code you have specified.
Regular (non-native) hook:
#!/bin/bash
data=$(cat)
event=$(jq -r '.event' <<< ${data})
subtype=$(jq -r '.subtype' <<< ${data})
case ${event} in
malware-scanning)
case ${subtype} in
started)
# do stuff here
;;
*)
echo "Unhandled subtype: ${subtype}" 1>&2
exit 1
esac
;;
*)
echo "Unhandled event: ${event}/${subtype}" 1>&2
exit 2
esac
Native hook:
def im_hook(dict_param):
event = dict_param['event']
subtype = dict_param['subtype']
if event == 'malware-scanning':
if subtype == 'started':
# do stuff here
pass
elif subtype == 'finished':
# do other stuff here
pass
else:
raise Exception('Unhandled subtype {}'.format(subtype))
else:
raise Exception('Unhandled event {}'.format(event))
Starting from version 5.1, ImunifyAV/AV+ provides a completely new Hooks system configuration. Hooks can be configured via the separate UI “Notifications” tab in the Settings, or via the command-line interface (CLI).
The administrator can configure to execute custom scripts (“hook handler”). Also, hooks support a new set of events and notification types:
Each hook can be configured from the UI and the CLI. Each hook type has the enable/disable toggle and event handler script.
Notes