Resolved Plesk, what’s going on here? - Imunify auto installation

[Fede Marsell]

Could you please elaborate on that question. I am not entirely sure I understand it. Sorry.

Once Imunify is installed —even without explicit permission— it begins scanning the server and uploading files it deems suspicious to external servers.

The extent of this behavior is unclear: it's not known whether Imunify uploads entire files or just fragments.

Regardless, this constitutes a serious security breach.

In the console.log, the data transfer is clearly visible:

imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/xxxx.php' to the Malware Response Service with reason: extended-

This is a critical issue — a data leak caused by the unauthorized installation of a third-party extension.

 

[Sebahat.hadzhi]

@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.

 

[Fede Marsell]

@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.

I've never installed Imunify and I've never purchased a license for this extension. Never.

I manage more than 50 servers with PLESK, and on most of them, Imunify was automatically installed without consent and has sent sensitive information to external servers.

Any user can review its logs. They can see how their files have been transferred to Imunify's external servers.

They just need to check the logs (grep Uploaded /var/log/imunify360/console.log).

I repeat, this is extremely serious.

 

[Sebahat.hadzhi]

According to what I have been told this is a paid functionality and should not be present unless with Imunify license. Nevertheless, as previously mentioned, files containing personal or sensitive information are removed from the pipeline immediately on detection. This has been consulted with CloudLinux and confirmed by their team.

 

[Fede Marsell]

According to what I have been told this is a paid functionality and should not be present unless with Imunify license.

Absolutely not. You are seriously mistaken.

 

[ChristophRo]

The "Malware Scanner" is indeed enabled and usable in the free edition.
In fact it's the only component that is available in the free edition and it gets installed on a Plesk server by default.

While the "Malware Scanner" is somewhat limited in the free edition (like only one scan per month), it will of course still use the function to upload suspicious code to Cloudlinux for further analysis.

I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.

 

[Sebahat.hadzhi]

While the Malware scanner itself is available, according to our discussion with CloudLinux, the file upload process is part of a paid functionality that should not be available in the free edition. This statement is based on the log provided earlier in the thread. Unfortunately, we can't confirm for sure what's triggering that behavior without server access. Nevertheless, in terms of security breach concerning the files uploaded to CloudLinux - the sensitive data is excluded.

 

[Fede Marsell]

I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.

The problem is that both the installation of the extension and the data transfer happened without any prior authorization or consent.

This is a serious breach.