Skip to main content

Does Imunify actually work?

HappyFeat
  • Edited

I just downloaded the eicar test virus to a folder in /home/ (not a web hosting account) and did a manual scan of /home*/* and it didn't find it.

Is this the expected behavior ?

service imunify-antivirus status says that the service is running

Comments

5 comments

Date Votes
  • HappyFeat

    I re-installed ClamAV, moved the eicar file to a public_html folder and did a manual scan with ClamAV and it found it.

    I did the same thing with Imunify and it didn't find it.

    I think I'll stick with ClamAV for now.

    0
  • ITHKBO

    Are you sure you did not leave ClamAV active or something like CXSWatch running while trying Immunify? Because if your primary software is faster than there is nothing for Immunify to check.

    Here is the speed at which CXSWatch with ClamAV removes it on our server making it impossible to test eicar unless we explicitely tell it not to do so.
    https://go.screenpal.com/watch/cTjuIIn28eT

    Simply ignoring the MD5 is not enough for some reason on eicar though that works with all other false positives we encountered.

    That said IMHO I find it much better to not run tests against the universally known eicar textstring but against actual Tactics, Techniques, and Procedures (TTP's) if you have the knowledge and a seperate system to test on. Knowing that a file signature is recognized by your system is all and well but it won't tell you how it will operate while under any strain or multivector attacks and what unexpected potential bottlenecks it creates for other services. 

    1
  • Rubfy

    Yes, Imunify works — but your test was likely outside its default scan scope.
    By default, Imunify’s malware scanner focuses on user home directories (e.g. /home/USERNAME/...). Dropping eicar at the top-level /home/ (root-owned, not a cPanel account) is typically out of scope unless you enable system-wide scanning.

    Here’s how to make a valid test and the settings to check:

    1) Put the test file where Imunify actually scans

    • Use a cPanel account path, e.g. /home/USER/public_html/eicar.com (or .txt).

    • Make sure the file is owned by that USER, not root.

    2) Make sure the scanner is configured to catch it

    WHM → Imunify360 / ImunifyAV(+) → Settings → Malware Scanner

    • Enable real-time/Background scan (scan new & modified files).

    • Heuristic analysis: ON

    • Scan inside archives: ON (if you’re testing zipped eicar)

    • File types to scan: include php, js, html, txt, com, exe (eicar hits regardless, but don’t exclude it by mask).

    • Skip large files: make sure the limit isn’t absurdly low.

    • If you really want to scan non-user locations (like top-level /home), enable the option to scan system/non-user directories.

    3) Run a proper on-demand scan

    • From the UI: Malware Scanner → Start scan → select the USER or the exact path.

    • From CLI (example – adjust to your version; see imunify360-agent malware --help):

       
      imunify360-agent malware on-demand start --path /home/USER/public_html

      Then check detections/quarantine in the UI or logs under /var/log/imunify*.

    4) Common reasons for “not detected”

    • The file was in a path outside scope (e.g., /home/ root, not a user).

    • It’s in the Ignore List or excluded by file masks.

    • Another tool (ClamAV/CXSWatch) removed it first, so Imunify had nothing to find.

    • Ownership/permissions prevented the daemon from seeing it.

    • Real-time scanner disabled, or only “Quick/Partial” scans were run.

    5) About ClamAV vs Imunify

    They can coexist, but avoid double real-time scanning on busy servers. ClamAV is signature-driven; Imunify adds heuristics, Proactive Defense (PHP runtime blocking), WAF rules, reputation feeds, kernel/live-patch integrations, etc. For a fair apples-to-apples check, put eicar under a user docroot, ensure Imunify’s scope includes that path, and run a full on-demand scan.

    If you post the exact path/owner and your Malware Scanner settings, we can point out the one toggle that’s preventing the detection.

    0
  • HappyFeat

    1) As I said, Imunify couldn't detect the eicar test when it was in a /home/[user]/public_html/ folder - so the location is not the problem.

    2) There is no CXS or other active program installed - so it not possible for "another program to remove it". (Furthermore the file is still there - it didn't get removed by anything).

    Is there a way of debugging Imunify to find out why it can detect a basic virus?

     

    0
  • cPRex Jurassic Moderator

    It would likely be best to create a ticket since this doesn't seem to be a widespread issue.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post