With Sentinel Anti-malware, you get the open source standard for anti-malware scanning from Linux Malware Detect and ClamAV combined with a user friendly web interface designed specifically for the Plesk control panel.
Sentinel uses multifaceted threat data from network edge IPS, community data, ClamAV, and user submission systems to extract malware that is actively being used in attacks.
The threat landscape in todays hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.
- This is a paid extension that is designed for power users and service providers. Some system administration experience is recommended.
- On Centos/RHEL/Cloudlinux the EPEL repository will be enabled.
- ClamAV packages will be installed on install and removed on uninstall (if the Warden Anti-spam and Virus Protection Plesk extension is not also installed).
- Linux Malware Detect will be installed on install and removed on uninstall.
Linux Malware Detect
Anti-malware engine designed around the threats faced in today’s hosting environments. It uses multifaceted threat data from network edge IPS, community data, ClamAV, and user submission systems to extract malware that is actively being used in attacks.
- Network Edge IPS – The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate.
- Community Data – Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.
- ClamAV – The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate.
- User Submission – checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.
The ClamAV® open source multi-threaded scanner daemon detects trojans, viruses, malware and other malicious threats. Extended signatures from Malware Expert provide ultimate detection of PHP based malware.
- Advanced database updater with support for scripted updates and digital signatures.
- The virus signatures are updated multiple times per day.
- Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
- Built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others.
Sentinel allows you to scan a domains web folder with just a few clicks. The scan can automatically quarantine detected threats (if enabled) or allow you to quarantine or email a report the the customer.
- MD5 file hash detection for quick threat identification.
- HEX based pattern matching for identifying threat variants.
- Statistical analysis component for detection of obfuscated threats.
- Integrated detection of ClamAV to use as scanner engine for improved performance.
- Scan-recent option to scan only files that have been added/changed in X days.
- Scan using regular expression options to include or exclude matching files.
Malware can be quatantined storing threats in a safe fashion with no permissions. You can optionally restore files to original path, owner and permissions.
- Quarantine queue that stores threats in a safe fashion with no permissions.
- Quarantine batching option to quarantine the results of a current or past scans.
- Quarantine restore option to restore files to original path, owner and permissions.
- View, edit, download and restore quarantined files using your web browser.
Clean Infected Files
Cleaner rules will attempt to remove malware injected strings. Supports base64 and gzinflate (base64 injected malware). After clean is performed it will be re-scanned and verify that the clean was successful.
- Cleaner rules to attempt removal of malware injected strings.
- Cleaner batching option to attempt cleaning of previous scan reports.
- Cleaner rules to remove base64 and gzinflate (base64 injected malware).
Kernel based inotify real-time file scanning of created/modified/moved files. Monitor your entire vhosts directory and instantly scan any changed files. All of its resources are inside kernel memory and has a very small cpu usage and userspace footprint in memory.
- Kernel based inotify real time file scanning of created / modified / moved files.
- Kernel inotify monitor that can take path data from STDIN or FILE.
- Kernel inotify monitor with dynamic sysctl limits for optimal performance.
- Kernel inotify alerting through daily and/or optional weekly reports.
Signatures are updated typically once per day or more frequently depending on incoming threat data, IPS malware extraction and other sources. Signatures are derived from tracking active in the wild threats that are currently circulating. Threat data includes Network Edge IPS, community, ClamAV, and user submissions.
- Signature updates are performed daily through the default cron.daily script.
- You can check for updates manually via the Sentinel interface or the command line using the –update option.
- RSS & XML data source is available for tracking malware threat updates.
- Extended ClamAV signatures from Malware Expert help improve the detection rate of malware from PHP files.
Sentinel gives you multiple options to minimize any false positives. Ignore specific paths, file extensions or whitelist bad signatures with just a few clicks.
- Ignore specific paths from malware scanning.
- Ignore specific file extensions from malware scanning.
- Ignore specific signatures from triggering false positives.
- Regular expression support for excluding certain files from scanning.
Sentinel allows you to check the blacklist status of your domains using the Web Risk API service.
- Run a nightly, weekly, or monthly check on your domains and get notified by email when a domain gets blacklisted.
- View the threat type and platform that is reported back by the Web Risk API service.
- View a full history of every check so you can see exactly when a domain was compromised.
- Enable or disable notifications for administrators, resellers, or clients.
Supported Operating Systems
- AlmaLinux 8.x
- Centos 7.x
- CloudLinux 8.x
- CloudLinux 7.x
- Debian 11.x
- Debian 10.x
- Debian 9.x
- RedHat Enterprise Linux 8.x
- RedHat Enterprise Linux 7.x
- Rocky Linux 8.x
- Ubuntu 22.04
- Ubuntu 20.04
- Ubuntu 18.04
- Virtuozzo *
- OpenVZ *
* Virtuozzo / OpenVZ VPS may require
/proc/sys/fs/inotify/max_user_watches to be increased by your provider for real-time file monitoring.
Some providers may not be willing to do this.
Supported Plesk Versions
Plesk Obsidian 18.x, Plesk Onyx 17.8.11
Third Party Software
Linux Malware Detect, ClamAV packages from EPEL or Debian/Ubuntu Repositories
Minimum 2 GB system memory with at least 600 MB free if installing ClamAV (optional)