Issue ImunifyAV/Imunify360 started flagging multiple files as malware

[Somtam]

Server operating system version

ImunifyAV/Imunify360 started flagging multiple files as malware

Plesk version and microupdate number

18.0.56 #2

Hi everyone,

I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.

Specifically:


Located in paths such as:

Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.

I also found this explanation from Plesk documentation:

https://support.plesk.com/hc/en-us/articles/12377661896343

It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.

Are you experiencing the same issue recently?

 

[Somtam]

Files like /usr/bin/cat, libraries, and other ELF binaries
Located in paths such as:
/var/www/vhosts/system/<domain>/... or /var/www/vhosts/<domain>/usr/bin/

 

[Somtam]

Hi everyone,

I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.

Specifically:


Located in paths such as:

Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.

I also found this explanation from Plesk documentation:

https://support.plesk.com/hc/en-us/articles/12377661896343

It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.

Are you experiencing the same issue recently?

files in
Files like usr bin cat, libraries, and other ELF binaries
Located in paths such as:
var www vhosts <domain> usr bin

 

[Sebahat.hadzhi]

Hi, @Somtam . I am unable to find similar report by other Plesk users. It might be best for that case to be reviewed directly by CloudLinux as the vendor of Imunify. What I can suggest is to try sending a false-positive report according to:

• https://cloudlinux.zendesk.com/hc/e...w-to-submit-a-false-positive-negative-results

If you can open a Plesk support ticket and provide server access our agents can involve a representative from the CloudLinux team who can directly check the files on the server.

 

[Somtam]

Granting access to the server is definitely not an option due to data security concerns. That is simply impossible.

The question is whether this antivirus might be flagging these files in any way because the executable .so files are located within the subscription directory. As far as I know, these files are created when Plesk runs cron jobs in a chroot environment.

I scanned these files individually, and there are no signs that they are malicious, tampered with, or doing anything suspicious. The issue seems to be that only those subscriptions are being flagged where these files are present in the /usr directory.

 

[Somtam]

this is an example /var/www/vhosts/domanin/usr/bin/cat -> SMW-HEUR-ELF -> Infected

 

[Sebahat.hadzhi]

Thank you. I will double-check with our team and CloudLinux what might be causing the issue and get back to you if we can provide any insights.

 

[Sebahat.hadzhi]

@Somtam , CloudLinux has opened an internal task to further investigate the behavior. I will follow-up with more details as soon as I have more news. For the time being you can ignore the reports as false-positive. Thank you for highlighting the issue.