mage2kishan/module-malware-scanner

Active malware prevention + on-disk scanner for Magento 2. Three real-time guards (REST API, universal upload, custom-options) block PolyShell webshells, polyglot files and PHP-object-injection payloads BEFORE they touch disk. A nightly recursive scanner finds anything that slipped through, auto-qua

Maintainers

Package info

github.com/mage2sk/module-malware-scanner

Homepage

Type:magento2-module

pkg:composer/mage2kishan/module-malware-scanner

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

1.0.0 2026-04-12 07:06 UTC

Requires

  • php: ~8.1.0||~8.2.0||~8.3.0||~8.4.0
  • mage2kishan/module-core: ^1.0
  • magento/framework: ^103.0
  • magento/module-backend: ^102.0
  • magento/module-catalog: ^104.0
  • magento/module-config: ^101.2
  • magento/module-cron: ^100.4
  • magento/module-store: ^101.1
  • magento/module-ui: ^101.2
  • magento/module-webapi: ^100.4

proprietary 03f1c4558e7344e708979f8a4d3d3dc6ee460cdd

securityfirewallscannerwebshellhardeningmagento2antivirusmagento2-modulemalwarePolyShell

This package is auto-updated.

Last update: 2026-04-12 07:08:18 UTC

README

Magento 2.4.4 - 2.4.8 PHP 8.1 - 8.4 Hyva Compatible Luma Compatible

Active malware prevention + on-disk scanner for Magento 2 — built to stop PolyShell, polyglot webshells, and PHP-object-injection attacks before they touch your filesystem, plus a nightly recursive scanner that finds anything that slipped through.

Three real-time runtime guards. One auto-quarantine sweep. Zero false positives on legitimate vendor code.

✨ Why this extension

Other security extensions Panth Malware Scanner
Detection style Reactive (scan after infection) Reactive AND preventive — three runtime guards block uploads BEFORE they touch disk
REST API hardening Usually none Plugin on Magento\Webapi\Controller\Rest::dispatch — catches every POST/PUT/PATCH including base64-wrapped PolyShell payloads
Universal upload guard Often only product images Plugin on Magento\Framework\File\Uploader::save — covers WYSIWYG, swatches, themes, customer attachments, GraphQL uploads
Custom-options guard Rare Plugin on ValidatorFile::validate — catches the exact PolyShell entry point
Auto-quarantine Rare or unsafe Two-layer safelist — only auto-removes inside writable upload zones, NEVER touches vendor/, app/code/, lib/, generated/, etc.
False positives on vendor Constant noise Built-in allowlist for codesniffer fixtures, rector rules, phpunit, symfony error-handler, polyfills, composer internals
Signature catalog Hard-coded 26+ signatures derived from sansec.io PolyShell research, updatable via SignatureProvider
Uses ObjectManager? Often Never — full constructor injection

🎯 Features

Real-time prevention (3 runtime guards)

  • Universal upload guardPlugin\Framework\UploaderGuard hooks Magento\Framework\File\Uploader::save(). Inspects every uploaded temp file from WYSIWYG, product images, swatches, themes, customer attachments, imports, and GraphQL — BEFORE the file moves into pub/media. Polyglots and PHP-tag files are rejected with HTTP 500 + a CRITICAL log entry.
  • REST API request guardPlugin\Webapi\RestRequestGuard plugged on Magento\Webapi\Controller\Rest::dispatch. Scans every POST/PUT/PATCH body for IOC needles and base64-wrapped PolyShell payloads inside JSON file_content fields. Aborts with HTTP 400 before the controller resolves.
  • Custom-options upload guardPlugin\Catalog\CustomOptionFileGuard on Magento\Catalog\Model\Product\Option\Type\File\ValidatorFile::validate. Catches the exact PolyShell entry point — files uploaded as product custom options.

Auto-quarantine sweep (with two-layer safelist)

  • Files matching a CRITICAL signature inside one of the configured Quarantine Zones are automatically moved to var/panth_malware_quarantine/ with mode 0600 on every scan.
  • Default zones: pub/media, var/import, var/export, var/tmp, var/importexport. Configurable.
  • Hard blocklist refuses to honour app/code, app/design, app/etc, vendor, lib, generated, bin, setup, pub/static, dev — even if an admin pastes them into the textarea. Vendor and app/code files are NEVER auto-removed, no matter what severity they match. They are reported only.

Built-in vendor allowlist

Several legitimate dev/test/framework packages ship files containing "malicious" patterns because they ARE the patterns those tools detect (codesniffer test fixtures, rector rules, phpunit fixtures, Symfony's error-handler ghost). The scanner ships with a built-in path-prefix allowlist that skips these packages BEFORE signature evaluation, so the admin grid never fills with false positives.

Hard-coded allowlist covers: vendor/squizlabs/php_codesniffer/, vendor/magento/magento-coding-standard/, vendor/phpcompatibility/, vendor/friendsofphp/php-cs-fixer/, vendor/phpmd/, vendor/phpstan/, vendor/phan/phan/, vendor/rector/rector/, vendor/symplify/, vendor/phpunit/, vendor/sebastian/, vendor/theseer/, vendor/myclabs/deep-copy/, vendor/nikic/php-parser/, vendor/doctrine/instantiator/, vendor/mockery/mockery/, vendor/codeception/, vendor/behat/, vendor/symfony/error-handler/Resources/, vendor/symfony/polyfill-, vendor/symfony/var-dumper/Resources/, vendor/composer/, vendor/magento/framework/Test/, vendor/magento/zendframework1/tests/, dev/tests/. Admins can extend it from the configuration page.

Signature catalog (26+ patterns)

  • PolyShell IOCs (filenames, hashes, beacon strings, C2 domains)
  • Polyglot detection (image header + <?php)
  • Generic webshell heuristics (eval(base64_decode), assert($_REQUEST), system($_REQUEST), preg_replace /e modifier, etc.)
  • .htaccess PHP handler tampering
  • SQL INSERT INTO admin_user (privilege escalation scripts)
  • PolyShell C2 domains (lanhd6549tdhse.top, jslibrary.net, canevaslab.com)

Admin

  • Stores → Configuration → Panth Extensions → Malware Scanner configures every knob: scan paths, exclude paths, file size limits, auto-quarantine, quarantine zones, allowlist paths, cron, email notifications, severity threshold
  • Stores → Panth Infotech → Malware Scanner → Documentation — in-admin reference covering architecture, every signature category, hardening guide, troubleshooting matrix, CLI reference
  • Stores → Panth Infotech → Malware Scanner → Findings — admin grid with severity colour coding, mass actions, per-row View / Quarantine / Ignore, read-only file viewer with hex dump

CLI + cron

  • bin/magento panth:malware:scan — manual scan with progress output
  • Daily cron at 03:00 (configurable)
  • Email notifications for new findings above the configured severity threshold (only once per finding hash, so reinfections re-notify)

📦 Installation

Via Composer (recommended)

composer require mage2kishan/module-malware-scanner
bin/magento module:enable Panth_Core Panth_MalwareScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush

Via uploaded zip

  1. Download the extension zip from the Marketplace
  2. Extract to app/code/Panth/MalwareScanner
  3. Make sure app/code/Panth/Core is also installed
  4. Run the same commands above starting from module:enable

Verify

bin/magento module:status Panth_MalwareScanner
# Module is enabled
bin/magento panth:malware:scan
# scanned=NNNNN findings=N

🛠 Requirements

Required
Magento 2.4.4 — 2.4.8 (Open Source / Commerce / Cloud)
PHP 8.1 / 8.2 / 8.3 / 8.4
mage2kishan/module-core ^1.0 (installed automatically as a composer dependency)

🔧 Configuration

Open Stores → Configuration → Panth Extensions → Malware Scanner.

General

  • Enable Module — master kill switch
  • Max File Size to Scan (KB) (default 2048) — files larger are skipped
  • Scan Paths — defaults to pub/media app/code vendor var generated lib bin setup pub/static
  • Exclude Paths — defaults to var/cache var/log var/page_cache var/session var/tmp var/view_preprocessed var/composer_home generated/code generated/metadata pub/static/_cache pub/static/frontend pub/static/adminhtml pub/media/catalog/product/cache
  • File Extensions to Scan — defaults to php,phtml,phar,php3,php4,php5,php7,phps,inc,htaccess,jpg,jpeg,png,gif,svg,html,htm,js

Active Protection

  • Auto-Quarantine Critical Findings (default Yes) — moves CRITICAL files inside Quarantine Zones to var/panth_malware_quarantine/
  • Quarantine Zones — paths where auto-quarantine is allowed. Default: pub/media var/import var/export var/tmp var/importexport. Hard-coded blocklist refuses app/code, vendor, lib, generated, etc. even if pasted in.
  • Extra Allowlist Paths — extends the built-in vendor allowlist with custom-vendor paths

Scheduled Scan

  • Enable Cron Scan (default Yes)
  • Cron Expression (default 0 3 * * * — daily at 3 AM)

Email Notifications

  • Send Email on Detection (default Yes)
  • Recipient Emails — one per line
  • Minimum Severity for Email — Low / Medium / High / Critical

📚 Documentation

Full administrator + developer documentation is built into the admin panel:

Stores → Panth Infotech → Malware Scanner → Documentation

It covers the architecture diagram, every signature category, the PolyShell incident response guide, optional nginx / Apache hardening rules, the WAF / CDN recommendations, the file integrity monitoring (auditd / inotify) setup, two-factor authentication checklist, backup strategy, and the full CLI reference.

🆘 Support

Channel Contact
Email kishansavaliyakb@gmail.com
Website https://kishansavaliya.com
WhatsApp +91 84012 70422

Response time: 1-2 business days for paid licenses.

📄 License

Commercial — see LICENSE.txt. One license per Magento production installation. Includes 12 months of free updates and email support.

No security guarantee. This extension is one layer in a multi-layer defence-in-depth security strategy. It is not a substitute for security patches, secure coding practices, web application firewalls, regular backups, or routine security audits.

🏢 About the developer

Built and maintained by Kishan Savaliyahttps://kishansavaliya.com. Builds high-quality, security-focused Magento 2 extensions and themes for both Hyva and Luma storefronts.