Sentinel Anti-malware extension - Plesk

Sentinel Anti-malware

Sentinel Anti-malware gives you open source standard for anti-malware scanning from Linux Malware Detect and ClamAV. Both combined with a user-friendly web interface designed just for Plesk.

Sentinel uses threat data from network edge IPS, community data, ClamAV, and user submission systems. This to extract malware actively being used in attacks.

The threat landscape in today's hosted environments is different from the standard AV products detection suite. Because they're detecting primarily OS level trojans, rootkits and traditional file-infecting viruses, but missing the increasing variety of malware on the user account level - which serves as an attack platform.

Get more Info here


  • This is a paid extension made for power users and service providers. System admin experience recommended.
  • On Centos/RHEL/Cloudlinux, EPEL repository will be enabled.
  • ClamAV packages will be installed on install and removed on uninstall (if the Warden Anti-spam and Virus Protection Plesk extension isn't also installed).
  • Linux Malware Detect will be installed on install and removed on uninstall.


Linux Malware Detect
Anti-malware engine designed around the threats faced in today's hosting environments. It uses multifaceted threat data from network edge IPS, community data, ClamAV, and user submission systems to extract malware actively used in attacks.

  • Network Edge IPS - The IPS events are processed to extract malware url's, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate.
  • Community Data - Data is aggregated from multiple community malware websites such as clean-mx and malware domain list then processed to retrieve new malware, review, classify and then generate signatures.
  • ClamAV - The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate.
  • User Submission - users can submit suspected malware for review. This has become a very popular feature and generates on average about 30-50 submissions per week.

ClamAV Anti-virus
The ClamAV® open source multi-threaded scanner daemon detects trojans, viruses, malware and other malicious threats. Extended signatures from Malware Expert provide ultimate detection of PHP based malware.

  • Advanced database updater with support for scripted updates and digital signatures.
  • The virus signatures are updated multiple times per day.
  • Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
  • Built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others.

On-demand Scanning
Sentinel lets you scan a domain's web folder in a few clicks. The scan can automatically quarantine detected threats (if enabled), let you quarantine or send a customer an email report.

  • MD5 file hash detection for quick threat identification.
  • HEX based pattern matching for identifying threat variants.
  • Statistical analysis component for detection of obfuscated threats.
  • Integrated detection of ClamAV to use as scanner engine for improved performance.
  • Scan-recent option to scan only files that have been added/changed in X days.
  • Scan using regular expression options to include or exclude matching files.

Quarantine Malware
Malware can be quarantined storing threats in a safe fashion with no permissions. You can optionally restore files to original path, owner and permissions.

  • Quarantine queue that stores threats in a safe fashion with no permissions.
  • Quarantine batching option to quarantine the results of a current or past scans.
  • Quarantine restore option to restore files to original path, owner and permissions.

Clean Infected Files
Cleaner rules will attempt to remove malware injected strings. Supports base64 and gzinflate (base64 injected malware). After clean is performed it will be re-scanned and verify that the clean was successful.

  • Cleaner rules to attempt removal of malware injected strings.
  • Cleaner batching option to attempt cleaning of previous scan reports.
  • Cleaner rules to remove base64 and gzinflate (base64 injected malware).

Real-time Scanning
Kernel based inotify real-time file scanning of created/modified/moved files. Monitor your entire vhosts directory tree an instantly scan any changed files. All of its resources are inside kernel memory and has a very small cpu usage and userspace footprint in memory.

  • Kernel based inotify real time file scanning of created / modified / moved files.
  • Kernel inotify monitor that can take path data from STDIN or FILE.
  • Kernel inotify monitor with dynamic sysctl limits for optimal performance.
  • Kernel inotify alerting through daily and/or optional weekly reports.

Signature updates
Signatures are updated typically once per day or more frequently depending on incoming threat data, IPS malware extraction and other sources. Signatures are derived from tracking active in the wild threats that are currently circulating. Threat data includes Network Edge IPS, community, ClamAV, and user submissions.

  • Signature updates are performed daily via default cron.daily script.
  • You can check for updates manually via the Sentinel interface or the command line using the --update option.
  • RSS & XML data source is available for tracking malware threat updates.
  • Extended ClamAV signatures from Malware Expert help improve the detection rate of malware from PHP files.

Ignore Options
Sentinel gives you multiple options to minimize any false positives. Ignore specific paths, file extensions or whitelist bad signatures with just a few clicks.

  • Ignore specific paths from malware scanning.
  • Ignore specific file extensions from malware scanning.
  • Ignore specific signatures from triggering false positives.
  • Regular expression support for excluding certain files from scanning.

Domain Monitoring
Sentinel allows you to check the blacklist status of your domains using the Google Safe Browsing service.

  • Run a nightly, weekly, or monthly check on your domains and get notified by email when a domain gets blacklisted.
  • View the threat type and platform that is reported back by the Google Safe Browsing service.
  • View a full history of every check so you can see exactly when a domain was compromised.
  • Enable or disable notifications for administrators, resellers, or clients.

Multi-Language Support : English, German, French, Spanish, Italian, Dutch, Polish, Portuguese, Russian, Chinese Simplified & Traditional, Japanese.

Supported Operating Systems : Centos 7.x, Cloudlinux 7.x, Debian 9.0, Debian 8.0, RedHat Enterprise Linux 7.x, Ubuntu 16.04

Supported VPS: Virtuozzo, OpenVZ, KVM, Xen, Vmware, HyperV.

  • Virtuozzo / OpenVZ VPS may require /proc/sys/fs/inotify/max_user_watches to be increased by your provider for Real-time File Monitoring if more inotify resources are required than is set. Some providers may not be willing to do this.

Supported Plesk Versions: Plesk 17.x

Third Party Software: Linux Malware Detect 1.6.2, ClamAV 1.00+

Memory Required: Minimum 1.5 GB system memory with at least 300 MB free

Platform unix

Support | Documentation
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search