• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved Plesk, what’s going on here? - Imunify auto installation

Sebahat.hadzhi said:
Could you please elaborate on that question. I am not entirely sure I understand it. Sorry.
Click to expand...

Once Imunify is installed —even without explicit permission— it begins scanning the server and uploading files it deems suspicious to external servers.

The extent of this behavior is unclear: it's not known whether Imunify uploads entire files or just fragments.

Regardless, this constitutes a serious security breach.

In the console.log, the data transfer is clearly visible:

imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/xxxx.php' to the Malware Response Service with reason: extended-

This is a critical issue — a data leak caused by the unauthorized installation of a third-party extension.
 
@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

Code: 
imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.
 
Sebahat.hadzhi said:
@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

Code: 
imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.
Click to expand...

I've never installed Imunify and I've never purchased a license for this extension. Never.

I manage more than 50 servers with PLESK, and on most of them, Imunify was automatically installed without consent and has sent sensitive information to external servers.

Any user can review its logs. They can see how their files have been transferred to Imunify's external servers.

They just need to check the logs (grep Uploaded /var/log/imunify360/console.log).

I repeat, this is extremely serious.
 
According to what I have been told this is a paid functionality and should not be present unless with Imunify license. Nevertheless, as previously mentioned, files containing personal or sensitive information are removed from the pipeline immediately on detection. This has been consulted with CloudLinux and confirmed by their team.
 
The "Malware Scanner" is indeed enabled and usable in the free edition.
In fact it's the only component that is available in the free edition and it gets installed on a Plesk server by default.

While the "Malware Scanner" is somewhat limited in the free edition (like only one scan per month), it will of course still use the function to upload suspicious code to Cloudlinux for further analysis.

I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.
 
While the Malware scanner itself is available, according to our discussion with CloudLinux, the file upload process is part of a paid functionality that should not be available in the free edition. This statement is based on the log provided earlier in the thread. Unfortunately, we can't confirm for sure what's triggering that behavior without server access. Nevertheless, in terms of security breach concerning the files uploaded to CloudLinux - the sensitive data is excluded.
 
ChristophRo said:
I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.
Click to expand...

The problem is that both the installation of the extension and the data transfer happened without any prior authorization or consent.

This is a serious breach.
 
Sebahat.hadzhi said:
While the Malware scanner itself is available, according to our discussion with CloudLinux, the file upload process is part of a paid functionality that should not be available in the free edition. This statement is based on the log provided earlier in the thread. Unfortunately, we can't confirm for sure what's triggering that behavior without server access. Nevertheless, in terms of security breach concerning the files uploaded to CloudLinux - the sensitive data is excluded.
Click to expand...
@Sebahat.hadzhi

I think that @Fede Marsell is addressing an issue that should indeed be called a "data leak" in a legal sense.

There is no legal ground for sharing data / uploading data by an extension, if that extension has not been installed explicitly and (legal) conditions have not been agreed with explicitly.

The degree in which the "data leak" occurs and the severity of the "data leak" depends on the information shared / uploaded.

Plesk is - essentially - responsible for the current "data leak" and, if any "data leak" exists in a legal sense, Plesk can be fined in most European countries.

Stated differently, @Fede Marsell addresses an issue that is in the interest of Plesk.

In fact, Plesk should really "control" the data that can be shared / uploaded by limiting that data to (a) a very limited set of data and (b) a limited set of data that is not harmful in any way (and that can never do harm in any sense).

For instance, Plesk should not "allow" Imunify to retrieve WP config files (since they contain access data that you do not want to share) - however, general WP files can be easily shared (since that can never do harm).

As an another example, Plesk should never "allow" Imunify to scan files or config files that are inherent to the server (since Imunify does not actually do anything with them, Imunify is not that advanced).

In my humble opinion, there is a black box called Imunify with too much unknowns and uncertainty - it is not a good thing that it exists.

Plesk should really consider alternatives to Imunify.

Kind regards......
 
trialotto said:
There is no legal ground for sharing data / uploading data by an extension, if that extension has not been installed explicitly and (legal) conditions have not been agreed with explicitly.
Click to expand...

trialotto said:
Plesk is - essentially - responsible for the current "data leak" and, if any "data leak" exists in a legal sense, Plesk can be fined in most European countries.
Click to expand...

Indeed.

PLESK's official silence on this issue makes the problem even more serious.
 
  • Like
Reactions: mow
@Fede Marsell

The statement

Fede Marsell said:
PLESK's official silence on this issue makes the problem even more serious.
Click to expand...

is not really accurate.

I can safely assume that Plesk is looking into the matter, before making any (bold or implicit/explicit) statements.

If that assumption can be proven to be incorrect, then there is a case of "negligence".

The legal aspects of this matter are essentially a Gordian Knot - it is hard to say who is responsible or even liable for what, since any responsibility / liability really depends on the factual reality.


Nevertheless, I adhere to your point of view that Plesk should investigate this matter fast and thoroughly.

It simply cannot be the case that an extension can - potentially or factually - be the root cause of any problem related to "data leaks".

In addition, it cannot be the case that an extension like Imunify is introduced and making a mess of Plesk or the proper functioning of Plesk.


In summary, it has been excellent that you pointed out an important topic ......... but we all have to have some patience and confidence.

However, it is always good if you (and others) keep posting, since those posts are essentially reminders to Plesk.


Kind regards....
 
/dev/null said:
We see the same on all our servers. Do not understand why this extension is pushed. :confused:
Click to expand...

My educated guess would be that Plesk has a business model, associated with the (paid for) extension.

At least in theory, the combination of "feedback" of all Plesk servers with respect to bad files and bad IPs would allow for the development of a better solution.

It is just a different way of thinking from my side .......... and in any environment of "core + extensions" there is no space for this odd way of thinking.

Stated differently, if Plesk was not that focused on "extensions", then the full ability of Plesk servers could have been used to create a proper solution.

Could, should, would....... it simply is the case that we have to deal with the Imunify extension or that Plesk should be dealing with that extension.

Kind regards....
 
trialotto said:
My educated guess would be that Plesk has a business model, associated with the (paid for) extension.

At least in theory, the combination of "feedback" of all Plesk servers with respect to bad files and bad IPs would allow for the development of a better solution.

It is just a different way of thinking from my side .......... and in any environment of "core + extensions" there is no space for this odd way of thinking.

Stated differently, if Plesk was not that focused on "extensions", then the full ability of Plesk servers could have been used to create a proper solution.

Could, should, would....... it simply is the case that we have to deal with the Imunify extension or that Plesk should be dealing with that extension.

Kind regards....
Click to expand...
 
I understand what your saying. Just wondering as we pay for licenses for a 'control panel' who is in 'control ' of the control panel....

For example Site jet was pushed . In the WP toolkit some external option was pushed. And now Immunify with out any notification and perhaps
that was a misunderstanding or something. But the Immunify scan (in the free version) which was pushed takes cpu processing power.
It would be nice if these kind of weird things would not be pushed.

/dev/null
 
/dev/null said:
I understand what your saying. Just wondering as we pay for licenses for a 'control panel' who is in 'control ' of the control panel....

For example Site jet was pushed . In the WP toolkit some external option was pushed. And now Immunify with out any notification and perhaps
that was a misunderstanding or something. But the Immunify scan (in the free version) which was pushed takes cpu processing power.
It would be nice if these kind of weird things would not be pushed.

/dev/null
Click to expand...

I'd like to know how much money PLESK makes by adding these extensions with such wonderful features (hiring a programmer, payment options sold through Sitejet or WP ToolKit, etc.).
 
  • Like
Reactions: mow
Hello everyone.

My name is Ekaterina and I am product manager of Imunify extension in Plesk.

I investigated this matter with CloudLinux and would like to share with you the findings.
Thank you for your patience.

Imunify is widely acknowledged as a reputable and trusted security extension, consistently demonstrating its effectiveness and reliability across a broad user base.To further ensure data protection, I conducted an internal review in collaboration with the CloudLinux team.

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server. It means that the personal/sensitive data is not transferred externally or stored on their analysis server.

CloudLinux team has no intent and do not use any personal or sensitive data and only suspicious/malicious information is analysed in order to provide security on the server.

Appreciate your understanding.
 
Guys,
Yesterday I tried to access Updates page didn't want to load completely. So I was investigating why... I checked the autoinstaller.log and my DailyMaintenance was stuck at download.immunify360.com for over 3 hours and I needed to kill it. It also caused other processes to hang like enviromentccheck:pum.
 

Attachments

  • Zrzut ekranu 2025-07-24 o 12.27.36.png
    Zrzut ekranu 2025-07-24 o 12.27.36.png
    285.1 KB · Views: 5
You must log in or register to reply here.

Similar threads

F
Issue Important: Imunify auto installation and possible data leak
Replies
15
Views
2K
whsplesk
W
L
Question Why is there still no better built-in way for Remote Storage?
Replies
2
Views
805
ldoerrdotcom
L
C
Question Strategic questions
Replies
9
Views
4K
mow
M
Daerik
Resolved Plesk Migrator Failing to Sync Database Records After Server Upgrade
Replies
8
Views
2K
Maarten
M
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
2K
HawkSky
H
Back
Top