• Inviting everyone who uses WordPress management tools in Plesk
    The Plesk team is conducting a 60-minute research session that includes an interview and a moderated usability test.
    To participate, please use this link .
    Your experience will help shape product decisions and ensure the tools better support real-world use cases.

Issue ImunifyAV/Imunify360 started flagging multiple files as malware

S

Somtam

New Pleskian
Server operating system version
ImunifyAV/Imunify360 started flagging multiple files as malware
Plesk version and microupdate number
18.0.56 #2
Hi everyone,

I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.

Specifically:


Located in paths such as:

Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.

I also found this explanation from Plesk documentation:

It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.

Are you experiencing the same issue recently?
 
Files like /usr/bin/cat, libraries, and other ELF binaries
Located in paths such as:
/var/www/vhosts/system/<domain>/... or /var/www/vhosts/<domain>/usr/bin/
 
Somtam said:
Hi everyone,

I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.

Specifically:


Located in paths such as:

Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.

I also found this explanation from Plesk documentation:

It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.

Are you experiencing the same issue recently?
Click to expand...
files in
Files like usr bin cat, libraries, and other ELF binaries
Located in paths such as:
var www vhosts <domain> usr bin
 
Hi, @Somtam . I am unable to find similar report by other Plesk users. It might be best for that case to be reviewed directly by CloudLinux as the vendor of Imunify. What I can suggest is to try sending a false-positive report according to:

If you can open a Plesk support ticket and provide server access our agents can involve a representative from the CloudLinux team who can directly check the files on the server.
 
Granting access to the server is definitely not an option due to data security concerns. That is simply impossible.

The question is whether this antivirus might be flagging these files in any way because the executable .so files are located within the subscription directory. As far as I know, these files are created when Plesk runs cron jobs in a chroot environment.

I scanned these files individually, and there are no signs that they are malicious, tampered with, or doing anything suspicious. The issue seems to be that only those subscriptions are being flagged where these files are present in the /usr directory.
 
You must log in or register to reply here.

Similar threads

danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
6K
danami
danami
Y
Multiple versions php: can't add php sphinx module
Replies
5
Views
4K
yehudigt
Y
W
File Server / Samba fails to start up
Replies
0
Views
2K
webspatial
W
Back
Top