Resolved Plesk, what’s going on here? - Imunify auto installation

[seqoi]

Server operating system version

AlmaLinux 9.5

Plesk version and microupdate number

Plesk Obsidian 18.0.68 Update #2

Imunify installed itself on my Plesk Obsidian (AlmaLinux) without my knowledge a day or two ago. I handle all updates manually — everything is set to manual only, and I apply updates myself.

I already have my own solutions in place, including firewalls. Why are you pushing extensions I didn’t ask for and installing applications that overlap with existing setups?

I want a clear explanation of how and why Imunify was installed without my consent.


Can someone comment on this? What is the most effective way to get rid of this and to ensure this does not happen in the future?

I repeat, this installed by itself at the running and setup operational server - only I have access to this instance - why would you do that?

 

[Sebahat.hadzhi]

Hello, @seqoi . First and foremost, I would like to sincerely apologize for any confusion or inconvenience caused by the recent installation of Imunify. I understand that this may have led to compatibility issues with the security solutions you already have in place.

I will prove a little bit of back story, so I can explain the whole situation. Some time ago, CloudLinux made the decision to deprecate the old ImunifyAV extension and replace it with a newer version. The automatic replacement process was scheduled and executed by our team yesterday. While the update was intended to affect only users of the original ImunifyAV extension, an unexpected issue arose during the process, which inadvertently impacted users who did not have the old extension installed. The whole situation was proactively addressed by our team and the the extension can be safely removed. We appreciate your understanding on the matter.

 

[seqoi]

Ok thanks for the explanation. Much appreciated. Have a nice weekend.

 

[Sebahat.hadzhi]

Thank you for your understanding on the matter. Have a great weekend as well!

 

[imrelaszlo84]

Hello! Yesterday, the Imunify 360 was automatically installed on our server with Ubuntu 22.04.5 LTS / Plesk Obsidian 18.0.70 Update #2. Was't this bug fixed?

 

[seqoi]

Hello! Yesterday, the Imunify 360 was automatically installed on our server with Ubuntu 22.04.5 LTS / Plesk Obsidian 18.0.70 Update #2. Was't this bug fixed?

I don't think it's a bug in its nature. She said they addressed it in a way that you can uninstall. That's what I did, and it's no problem. Yes, it is annoying and shouldn't happen, but luckily it's a 5-minute task. Good luck.

 

[imrelaszlo84]

I don't think it's a bug in its nature. She said they addressed it in a way that you can uninstall. That's what I did, and it's no problem. Yes, it is annoying and shouldn't happen, but luckily it's a 5-minute task. Good luck.

Of course, but it's not normal that you don't ask for it, third-party extensions are installed without your permission! The other thing is that the UNIX system user still remains in the system (_imunify). A careful system administrator doesn't like that...

 

[seqoi]

Of course, but it's not normal that you don't ask for it, third-party extensions are installed without your permission! The other thing is that the UNIX system user still remains in the system (_imunify). A careful system administrator doesn't like that...

I understand you and your concerns since I have the same. From the communication of Plesk staff personnel, I understood it was an unintentional omission rather than intended behavior. You'll simply need to accept it and move on with your server.

 

[Fede Marsell]

Is there any way to block this extension from panel.ini?

It installs itself, automatically, even after uninstalling.

And as is typical in PLESK practices, without any permission

 

[imrelaszlo84]

Is there any way to block this extension from panel.ini?

It installs itself, automatically, even after uninstalling.

And as is typical in PLESK practices, without any permission

This morning, it was installed automatically on another server... This can't stay like this! What are they thinking at Plesk? By what right do they install optional third-party software without prior consent?

 

[Sebahat.hadzhi]

Our team informed me that the rollout of the Imunify extension hasn't officially finished yet. In other words, you are both affected by the issue I explained above. Please note that the extension wasn't intentionally installed on your servers and Plesk is not trying to force the Imunify extension by any mean. Nevertheless, the severity of the case is acknowledged. We understand the negative impact from this installation and we are extremely sorry for the entire situation. You can disable Imunify by adding the following directive to the panel.ini file:

[extensions]
blacklist = imunify360

or completely disable automatic extension installations with:

[ext-catalog]
extensionAutoInstall = false

 

[imrelaszlo84]

@Sebahat.hadzhi I've added these settings to panel.ini, thank you!

 

[trialotto]

Our team informed me that the rollout of the Imunify extension hasn't officially finished yet. In other words, you are both affected by the issue I explained above. Please note that the extension wasn't intentionally installed on your servers and Plesk is not trying to force the Imunify extension by any mean. Nevertheless, the severity of the case is acknowledged. We understand the negative impact from this installation and we are extremely sorry for the entire situation. You can disable Imunify by adding the following directive to the panel.ini file:



or completely disable automatic extension installations with:

@Sebahat.hadzhi

Problem here is that Plesk addresses one problem, being the "unwanted" installation of Imunify.

Nevertheless, this "issue" (or bug) has been present for a longer time period - removing Imunify extensions has (always) been a (tiny) bit problematic.

In addition, Imunify extensions do not really add value, certainly not taking into account the price of the extensions.

At this moment, adding Imunify will make things worse in the sense that security will not be enhanced (read: the opposite is more likely) and also in the sense that code related / installation related / uninstallation related issues are encountered or to be expected.

In my humble opinion, the main problem that should be addressed by Plesk is how Imunify interferes with (read: obstructs / hinders) other extensions, like for instance the Plesk firewall extension, and/or how Imunify reduces security whilst still introducting all kinds of issues.

As a final note, Plesk can give the advice to blacklist Imunify in panel.ini, but that is also a root cause of a FUTURE problem : deactivating and/or removing Imunify will require additional steps (like removing files and REconfiguring Plesk firewall properly) - most people are not aware of this!

If you would ask me, then Plesk team should abandon Imunify (and not embrace it!) and improve simple extensions like Plesk Firewall extensions.

Just sharing a thought on this matter.

Kind regards....

 

[Sebahat.hadzhi]

@trialotto Thank you for your feedback about the extension. I will share it with our team.

Regarding the issue with the extension removal, if there are any leftover files they could be removed as follow:

rm -rf /opt/ai-bolit
rm -rf /opt/i360_pam_imunify/
rm -rf /opt/imunify360
rf -rf /opt/imunify360-webshield

rm -rf /var/log/imunify360
rm -rf /var/log/i360deploy.log
rm -rf /var/log/imav-deploy.log
rm -rf /var/log/imunify360-webshield/
rm -rf /var/log/i360deploy-plesk.log

rm -rf /var/imunify360
rm -rf /var/i360_pam_imunify/

rm -f /etc/cron.daily/imunify360-ossec-server
rm -f /etc/cron.d/imunify-antivirus
rm -f /etc/cron.d/imunify-notifier
rm -f /etc/crond.d/i360_pkg_watcher
rm -f /etc/sysconfig/aibolit-resident
rm -rf /etc/imunify360/
rm -rf /etc/imunify360-wafd/
rm -rf /etc/imunify360-webshield/
rm -rf /etc/imunify-realtime-av/
rm -rf /etc/sysconfig/imunify360

 

[trialotto]

@trialotto Thank you for your feedback about the extension. I will share it with our team.

Regarding the issue with the extension removal, if there are any leftover files they could be removed as follow:

rm -rf /opt/ai-bolit
rm -rf /opt/i360_pam_imunify/
rm -rf /opt/imunify360
rf -rf /opt/imunify360-webshield

rm -rf /var/log/imunify360
rm -rf /var/log/i360deploy.log
rm -rf /var/log/imav-deploy.log
rm -rf /var/log/imunify360-webshield/
rm -rf /var/log/i360deploy-plesk.log

rm -rf /var/imunify360
rm -rf /var/i360_pam_imunify/

rm -f /etc/cron.daily/imunify360-ossec-server
rm -f /etc/cron.d/imunify-antivirus
rm -f /etc/cron.d/imunify-notifier
rm -f /etc/crond.d/i360_pkg_watcher
rm -f /etc/sysconfig/aibolit-resident
rm -rf /etc/imunify360/
rm -rf /etc/imunify360-wafd/
rm -rf /etc/imunify360-webshield/
rm -rf /etc/imunify-realtime-av/
rm -rf /etc/sysconfig/imunify360

@Sebahat.hadzhi

I am aware of the fact that one has to - forcefully - remove some files.

However, my main concern was (read: back in the days that I tested the Imunify extension) that the firewall rules were "removed" in a very unpredictable way : in some cases, all entries were deleted (hence making the server vulnerable) and in other case, none of the entries were removed (hence making the firewall clogged up and rather "slow" - not a good thing).

In essence, there was a lot that could be done with Plesk Firewall extension (even though some proper documentation has to be added), as opposed to doing the same things with Imunify in a more complicated way and, moreover, in a more intrusive way.

In my humble opinion, it would be great if the Plesk Firewall extension is developed towards a version that still maintains the simplicity (of the GUI) and adds some benefits that are definitely present in Imunify (and other software), WITHOUT adding the disadvantages of Imunify.

Nevertheless, it is easy to have "opinions", even though only facts will matter.

If I have some time in the near future, then I will reevaluate Imunify ........ and provide feedback.

Kind regards....

 

[ChristophRo]

If you would ask me, then Plesk team should abandon Imunify (and not embrace it!) and improve simple extensions like Plesk Firewall extensions.

We only used and use the Imunify "Malware Scanner" as it's very! helpful and nothing out there comes even close to the functionality and success rate of detecting malicious code on your websites. (we used ClamAV/Sophos virus scan routines, RKHunter and manual scripts before we had ImunifyAV and really, it's apples to rotten raisins...)

That being said, we also strongly disliked the move of abandoning ImunifyAV and bundle it into the Imunify360 suite. (yes, there were some improvements in the functionality of the malware scanner, but also so many drawbacks that overall it's clearly worse than before)

But my point is, that while you've obviously only? really checked out the Firewall part of Imunify (and yes, there are plenty of other and better alternatives out there for that), the extension does offer more and with no rivals on the horizon.
So, the move to discourage/abandon the whole Imunify extension would be a very bad move.

I do agree on the install/uninstall part though, a reoccurring pita on every system.

 

[Azurel]

I just happened to stumble upon this topic by chance because I was wondering why the 'alt-common' repository exists in my list and wants to install system updates. After I uninstalled Imunify extension, the 'alt-common' repository and its updates were gone as well.

However, my main concern was (read: back in the days that I tested the Imunify extension) that the firewall rules were "removed" in a very unpredictable way : in some cases, all entries were deleted (hence making the server vulnerable) and in other case, none of the entries were removed (hence making the firewall clogged up and rather "slow" - not a good thing).

@trialotto
How would you see if it causes problems now? I had already removed it.

 

[Azurel]

Regarding the issue with the extension removal, if there are any leftover files they could be removed as follow:

After 'uninstalling', there's still a lot left in the system. The 'uninstall' button is poorly implemented if you still have to delete so much manually afterward.