A malware has been detected - Action Required (false positive)
We received an automated alert from ImunifyAV through cPanel that one of our customer sites had potentional malware.
It did not specify what it found only that the mainpage was infected and doing a manual scan from ImunifyAV also showed the site as clean on the same day. We checked our resources at Sucuri and no scan came up with any false positives or potential threats. Modsec also did not show any strange records and Wordfence on the site itself did not show any discrepancies.
I than after the audit send a ticket to Cloudlinux to inform them of this false positive and a question why this trigger happened. They made a internal case (id: DEFA-5624) and now there support is asking us to contact Cpanel why this was send from ImunifyAV.
I find it very odd that Cloudlinux is not able to tell why there own program triggered this mail response or simply contact you guys directly but here I am on behest of CloudLinux why the following mail was send even though nothing was found as suspicious in the dashboard. Is there anything cPanel can check with regards to these kind of messages or is there some action log we ourselves can check? It is not shown in the ImunifyAV back-end of WHM as far as we can tell.
I can naturally provide the original not censored mail if needed.
From: cPanel on *****
<__cpanel__service__auth__icontact__xyonkhf9mmucaguh@ ***** >
Sent: Tuesday, 14 February 2023 04:17
To: ***** @ *****
Subject: [ ***** l] A malware has been detected - Action Required: *****
Dear Administrator,
We want to make sure that you are aware of any security threat that your server is exposed to.
With this message we are letting you know that a malware was found on your server(s):
* ***** [.]nl
o Location: hXXp:// ***** [.]nl/ (main page of the website)
Leaving malware files untreated puts your entire environment at risk and creates significant
security threats.
We urge you to take action immediately.
* Option 1: Please make sure that server administrator(s) take appropriate actions to remove
malware as soon as possible to mitigate security risks.
* Option 2: Upgrade from ImunifyAV to Imunify360. With the use of comprehensive security
features, such as real-time malware protection and Malware Database Scanner (MDS) the
server-wide risk that malware infections create will be mitigated in a fully automated way.
Should you have any questions, please reach out to our support team.
Faithfully,
Your Imunify360 Security Team
Manage subscriptions
The system generated this notice on Tuesday, February 14, 2023 at 3:17:20 AM UTC.
"Imunify::Generic" notifications are currently configured to have an importance of "High". You
can change the importance or disable this type of notification in WHM"s Contact Manager at:
https:// ***** :2087/scripts2/editcontact?event=Application
Do not reply to this automated message.
Copyright" 2023 cPanel, L.L.C.
-
Hey there! I'm not going to be able to do anything on my end for this particular issue as this would need to be a support ticket. Can you submit a ticket to our team for this? 0 -
Not a problem ticket is submitted. 0 -
Can you post the number here so I can follow along? 0 -
We're working on some more integration between the two help desks, but as of this time I can't see those. If they have confirmed it's a CloudLinux issue, it would be best to continue to work with them directly. 0 -
They have not confirmed anything yet besides that they cannot at present find anything wrong with the domain that gave the result. They wanted to do more research which is fine. Iam at this stage not involved its something between cPanel and Cloudlinux I am monitoring the ticket for any input they need from my side but at this time besides initialy informing cPanel on there behest no requests have been made. If there is any news I will update you in this thread. 0 -
Got an update from CloudLinux, The exact cause of the original message is unknown. They however suspect interference with clamd service which caused the GUI to not show any results. They also checked some other notifications we did not ask for that was 11 days later not related to the case. There suggestion is for us to stop clamd service and any other Antimalware solutions which is something we are not willing to do. I have asked for instructions how to disable, remove ImunifyAV from cPanel. Iam sure they have a lovely product that they want to sell but I am not willing to throw our entire antispam, firewall and exploit detection framework out the window. This can be considered resolved. Thank you for your attention cPRex on this matter. 0 -
I'm glad they were able to get you some details, even if it wasn't an ideal solution. I'm always happy to help as much as I can! 0
Please sign in to leave a comment.
Comments
8 comments