ConfigServer eXploit Scanner (cxs) is a tool from us
that performs active scanning of files as they are
uploaded to the server. Initial
installation with recommended configuration options is
included with the license.
ConfigServer eXploit Scanner
Active scanning can be performed on all text files:
- Actively scans all modified files within user accounts using the cxs Watch daemon regardless of how they were uploaded
- PHP upload scripts (via a ModSecurity hook)
- Perl upload scripts (via a ModSecurity hook)
- CGI upload scripts (via a ModSecurity hook)
- Any other web script type that utilises the HTML form ENCTYPE multipart/form-data (via a ModSecurity hook)
The active scanning of files can help prevent
exploitation of an account by malware by deleting or moving
suspicious files to quarantine before they become active.
It can also prevent the uploading of PHP
and perl shell scripts, commonly used to launch more
malicious attacks and for sending spam.
cxs also allows you to perform on-demand scanning
of files, directories and user accounts for suspected
exploits, viruses and suspicious resources (files,
directories, symlinks, sockets).
You can run scans of existing user data
to see if exploits have been uploaded in the past or via
methods not covered by the active scanning. It has been
tuned for performance and scalability.
Exploit detection includes:
- Over 4000 known current exploit script fingerprint matches (in addition to standard ClamAV detection)
- Known viruses via ClamAV
- Regular expression pattern matching to help identify known/unknown exploits
- Filename matching
- Suspicious file names
- Suspicious file types
- Binary executables
- Some illegal web software installations
- Custom user specified regular expression patterns
- Comprehensive constant scanning of all user data using the cxs Watch daemon - scans all
user files as soon as they are modified
- Daily check for new Exploit Fingerprints
- Check for old version of popular web scripts (e.g. Wordpress, Joomla, osCommerce)
- Bayes probability scanning - scans scripts and passes the contents through an algorithm which produces a probability as to whether it is an exploit
- Monitor files and directories for changes and send an email report of activity
- IP Reputation System. The system provides a variety of IP blocklists gathered from information that is submitted by participating servers. This dual aspect provides the information to help protect the server using the reputation from active attacks
- Major update to Script Version Scanning. cxs now scans for more than 200 individual applications, more than 200 WordPress plugins and more than 200 Joomla Extensions. Over 700 in total!
- cxs Setup Wizard to the UI for easy first-time configuration
- cxs Command Wizard to help create effective scan commands
- new quarantine interface via an SQLite database
- statistics to provide information at a glance as to what cxs has been doing
- command Wizards to help configure cxs Watch and Modsecurity
- cxs Daily/Weekly Scan Wizard, to create and modify cron jobs in /etc/cron.d/cxs-cron
- EXPERIMENTAL support for RHEL v7.* fanotify and CloudLinux v7.* File Change API
- New in v11: Added official InterWorx support
- New in v11: Added official DirectAdmin support
- New in v11: Added official BETA Plesk Onyx/Obsidian support
- New in v11: Added official BETA VestaCP support
- New in v11: Added official BETA CentOS Web Panel (CWP) support
- New in v11: Added official BETA CyberPanel support
- ... and lots more!
Web-based User Interface:
Included with the cxs Command Line Interface (CLI) is a web-based User Interface (UI) to help:
- Run scans
- Schedule and Edit scans via CRON
- Compose CLI scan commands
- View, Delete and Restore files from Quarantine
- View documentation
- Set and Edit default values for scans
- Edit commonly used cxs files
Note: cxs is not a rootkit scanner, though it can help detect rootkits uploaded to user accounts.
Frequently Asked Questions
Please read the cxs FAQ before ordering cxs.
- cPanel/WHM - latest versions fully supported
- InterWorx - latest versions fully supported
- DirectAdmin - latest versions fully supported
- Plesk Onyx/Obsidian - latest versions (BETA)
- VestaCP - latest versions (BETA)
- CentOS Web Panel - latest versions (BETA))
- CyberPanel - latest versions (BETA)
- Server with static IPv4 or IPv6 address (for licensing)
- Redhat/CentOS/RockyLinux/CloudLinux/AlmaLinux Linux v7/8
- ClamAV daemon process, for virus scanning
- SQLite v3, for the quarantine, report and statistics database
- ModSecurity v2+, for web script upload scanning (this is not required)
Support is not guaranteed for servers running services from 1h.com, ASL or Bitninja.
We only provide support for supported versions of the OS and latest versions of the control panel. EOL versions are not supported. BETA versions are supported but there may be absent features and bugs, installation is not included.
We no longer provide support for Virtuozzo or OpenVZ servers. While the product may work on these types of containers, there may be issues that we cannot support
Additional requirements for cxs Watch daemon:
- Kernel with inotify support, e.g. RedHat/CentOS/RockyLinux/AlmaLinux/CloudLinux v6/7+ OS vendor kernels - required for cxs Watch daemon
cxs is a commercial product that is sold and licensed on a per server basis. Unlike competing products, it is strictly a one-time per server license purchase with updates for the life of the product, all at a reasonable price! Initial default installation on a single server per license is included in the price. Please see the FAQ for more information about discounts and installation.
Bulk purchase discounts are available. Please see the cxs FAQ.
A license for cxs is also included free when you purchase our cPanel Service Package