ImunifyAV Free
** Imunify Free**
1. Overview
ImunifyAV Free is a malware scanner for Linux servers designed to detect malware commonly found in web environments, especially WordPress. It is developed by CloudLinux and optimized for web hosting security. Unlike ClamAV (generic antivirus), ImunifyAV Free is more capable in detecting PHP malware like backdoors, shells, and script injections.
ImunifyAV Free is suitable for:
- Self-hosted WordPress VPS setups
- Servers using OpenLiteSpeed, NGINX, or Apache
- Security administrators needing periodic malware checks
Why ImunifyAV Free Matters for WordPress VPS Security
WordPress is frequently targeted by malware due to:
- Vulnerable or outdated plugins/themes
- Nulled plugin/theme infections
- Backdoor PHP shells after breaches
- File injection from insecure uploads
- Weak file permissions on shared users
ImunifyAV Free:
- Detects hidden malware inside
.php,.js,.ico,.html - Scans core WordPress structure for changes
- Helps prevent distributed malware environments
- Detects backdoors like
wsoshell,b374k,r57,c99
Key Features (Free Version Only)
| Feature | ImunifyAV Free Support | Notes |
|---|---|---|
| Malware scan | Yes | Detect infected files |
| Web malware focus | Yes | PHP malware signatures |
| WordPress support | Yes | Ideal for wp-content threats |
| Control panel UI | Yes | Browser access at port 8080 |
| Malware cleanup | No | Only available in paid version |
| Real-time protection | No | Manual/cron-based only |
| Server firewall | No | Use UFW/Fail2Ban instead |
System Architecture Summary
| Component | Description |
|---|---|
| Engine | Signature + heuristic scanning |
| Malware DB | Updated cloud-based signatures |
| CLI | /usr/bin/imavscan |
| Panel | Optional web UI console |
| Logs | /var/imunifyav/ |
| Operation Mode | Manual + cron scheduling |
System Requirements
| Requirement | Recommended |
|---|---|
| OS | Ubuntu 20.04 / 22.04 / 24.04 |
| User | Root / sudo required |
| Web server | OpenLiteSpeed, NGINX, or Apache |
| RAM | 1 GB minimum |
| Disk | Enough for malware quarantine and logs |
Installation (Ubuntu – VPS without control panel)
Run as root or with sudo:
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh -O imav-deploy.sh
bash imav-deploy.sh
Verify Installation
Check version:
imunify-antivirus --version
Expected output example:
ImunifyAV v7.x Free Edition
Check binary availability:
which imunify-antivirus
Enable Command Aliases (Optional for speed)
Add this to ~/.bashrc for faster CLI usage:
alias imav='imunify-antivirus'
alias imscan='imunify-antivirus malware on-demand start'
Activate alias:
source ~/.bashrc
Command Structure Overview
ImunifyAV Free provides a command-line interface suitable for VPS automation and malware inspection. The primary scan operation is triggered via malware on-demand commands.
General scan syntax:
imunify-antivirus malware on-demand start <path>
Check scan results:
imunify-antivirus malware malicious list
Core CLI Commands
| Purpose | Command |
|---|---|
| Scan entire system (slow, not recommended) | imunify-antivirus malware on-demand start / |
| Scan home directory users | imunify-antivirus malware on-demand start /home |
| Scan specific WordPress site | imunify-antivirus malware on-demand start /home/user/public_html |
| List detected malware | imunify-antivirus malware malicious list |
| Remove detection report | imunify-antivirus malware malicious delete --id <ID> |
| Get scan history | imunify-antivirus malware on-demand history |
| Show scan status | imunify-antivirus malware on-demand status |
Understanding Scan Reports
Sample command:
imunify-antivirus malware malicious list
Expected output example:
+-++-+
| ID | Path | Status |
+-++-+
| 42 | /home/site1/public_html/wp-includes/random.php | MALICIOUS |
| 43 | /home/site1/public_html/wp-content/uploads/.cache.php | MALICIOUS |
+-++-+
Meaning:
- ID → reference ID for malware action
- Path → infected file location
- Status → always detection-only in free version
VPS Directory Structure for WordPress Scanning
On self-hosted VPS, WordPress is usually located under:
/home/<user>/public_html/
/var/www/<domain>/
/srv/www/<domain>/
Recommended scan targets:
| Folder | Reason |
|---|---|
public_html | Primary WordPress folder |
wp-content/uploads | Most exploited folder |
wp-content/plugins | Unsafe plugin malware |
wp-content/themes | Backdoor injection point |
| Root PHP files | Threat risk |
WordPress Targeted Scan Examples
Scan a single site
imunify-antivirus malware on-demand start /home/site1/public_html
Scan uploads folder only
imunify-antivirus malware on-demand start /home/site1/public_html/wp-content/uploads
Scan multiple websites
for d in /home/*/public_html; do
imunify-antivirus malware on-demand start "$d"
done
Faster scanning with parallelization (GNU parallel installed)
ls /home/*/public_html | parallel -j 3 imunify-antivirus malware on-demand start {}
WordPress Malware Types Detected by ImunifyAV Free
| Malware Type | Detection Example |
|---|---|
| PHP backdoor | eval(gzinflate(base64_decode(... |
| Silent uploader | .ico or .php disguised |
| Web shells | r57.php, wsoshell.php, c99.php |
| Timthumb exploit | timthumb.php malware variant |
| Injected malware in core | Modified wp-config.php |
| JS injection | trojan.js injections |
Viewing Detected Malware
After running scans, view malware detections using:
imunify-antivirus malware malicious list
Useful flags:
| Option | Description |
|---|---|
--limit <number> | Show limited number of results |
--path <folder> | Filter by directory |
--status | Show only "MALICIOUS" |
Example – filter WordPress malware:
imunify-antivirus malware malicious list --path /home/site1/public_html
Get Detailed Malware File Info
To inspect attributes:
imunify-antivirus malware malicious info --id <ID>
Example:
imunify-antivirus malware malicious info --id 42
Expected output:
ID: 42
Path: /home/site1/public_html/wp-includes/random.php
Reason: Detected as PHP.Backdoor.A
Severity: HIGH
File Inspection Commands (Important)
Before deleting anything, always inspect file content:
sed -n '1,100p' /home/site1/public_html/wp-includes/random.php
Or using grep to detect obfuscation:
grep -E "base64|eval|gzinflate|str_rot13|shell_exec" -n <file>
Example:
grep -E "base64|eval" -n /home/site1/public_html/wp-includes/random.php
Manual Malware Cleanup Strategy (Free Version)
ImunifyAV Free does not clean malware automatically. Use this method:
| Action | Command |
|---|---|
| Backup infected file | cp <file> <file>.backup |
| Empty file content | : > <file> |
| Delete file safely | rm <file> |
| Replace with clean WP version | Download fresh WordPress core |
| Restore backup if safe | mv <file>.backup <file> |
Example:
cp random.php random.php.backup
rm random.php
Ignore False Positives (Whitelist)
If ImunifyAV flags safe files (rare but possible):
imunify-antivirus malware ignore add --path <file>
Example:
imunify-antivirus malware ignore add --path /home/site1/public_html/wp-content/cache/index.php
View ignored:
imunify-antivirus malware ignore list
Malware Report Export
Generate a JSON report:
imunify-antivirus malware malicious list --json > report.json
Send report to security team or log:
cat report.json
Log Locations
| Log Path | Description |
|---|---|
/var/log/imunify360/av.log | Antivirus activity log |
/var/imunifyav/history/ | Scan history |
/var/imunifyav/ | ImunifyAV main directory |
Check latest log entries:
tail -n 50 /var/log/imunify360/av.log
Real-World Workflow for WordPress Malware Response
Below is a practical incident handling workflow when malware is detected on a WordPress VPS.
| Step | Action | Command |
|---|---|---|
| 1 | List malware | imunify-antivirus malware malicious list |
| 2 | Inspect file | grep -n "base64" <file> |
| 3 | Backup infected file | cp <file> <file>.bak |
| 4 | Remove malware file | rm <file> |
| 5 | Restore clean core file (if core WP) | wp core download --force |
| 6 | Re-scan site | imunify-antivirus malware on-demand start <path> |
Full Single-Site Cleanup Example
# Scan a WordPress site
imunify-antivirus malware on-demand start /home/site1/public_html
# Review malware
imunify-antivirus malware malicious list --path /home/site1/public_html
# Inspect a suspicious file
grep -n "eval" /home/site1/public_html/wp-config.php
# Backup then delete
cp wp-config.php wp-config.php.bak
rm wp-config.php
# Restore from clean source
wp core download --force --skip-content
Scan All WordPress Sites on VPS Automatically
Works if multiple sites are inside /home/*/public_html:
for site in /home/*/public_html; do
echo "Scanning $site ..."
imunify-antivirus malware on-demand start "$site"
done
Automate Malware Scans with Cron (Recommended)
Daily malware scan at 2:00 AM
crontab -e
Add:
0 2 * * * imunify-antivirus malware on-demand start /home >> /var/log/imav-cron.log 2>&1
Weekly deep scan
0 3 * * 0 imunify-antivirus malware on-demand start / --skip-mask "/dev/*,/proc/*,/sys/*,/tmp/*" >> /var/log/imav-weekly.log 2>&1
Real-Time Alerting with Email (Custom Bash Hook)
Add notification when malware detected:
imunify-antivirus malware malicious list --json | mail -s "Malware Detected on VPS" admin@yourdomain.com
Also automate:
0 */6 * * * imunify-antivirus malware malicious list --json | mail -s "VPS Malware Report" admin@yourdomain.com
Integrate with UFW, Fail2Ban, and Cloudflare Security
Recommended layered defense:
| Layer | Tool | Purpose |
|---|---|---|
| Network | UFW | Allow only ports 22, 80, 443 |
| SSH Protection | Fail2Ban | Brute-force prevention |
| Malware Scan | ImunifyAV Free | Malware detection |
| Web Firewall (WAF) | Cloudflare | SQLi, XSS protection |
| WP Firewall | Wordfence/Shield | WP plugin security layer |
Clean PHP Sessions and Temp Files After Attack
find /tmp -type f -name "*.php" -delete
find /var/tmp -type f -name "*.php" -delete
Prevents attackers from using temporary file persistence.
WordPress VPS Malware Prevention Strategy
ImunifyAV Free is detection-only, so prevention is critical. Use it inside a layered security model:
| Layer | Tool | Purpose |
|---|---|---|
| Network | UFW Firewall | Block unused ports |
| SSH Security | Fail2Ban + SSH Hardening | Block brute-force |
| Web Firewall | Cloudflare WAF | Block SQLi/XSS/bots |
| Malware Scanner | ImunifyAV Free | Detect infections |
| File Integrity | WP-CLI + Read-only wp-config | Prevent tampering |
| Backups | Rsync/Rclone + Offsite | Rapid recovery |
Secure Linux Permissions for WordPress
Bad permissions = easy malware persistence. Use this secure baseline:
find /home/site1/public_html -type d -exec chmod 755 {} \;
find /home/site1/public_html -type f -exec chmod 644 {} \;
chmod 600 /home/site1/public_html/wp-config.php
For OpenLiteSpeed servers (run as nobody):
chown -R site1:nogroup /home/site1/public_html
Disable PHP in Uploads Folder
Attackers upload PHP shells in /uploads. Block execution:
Apache/Nginx: .htaccess
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
OpenLiteSpeed (OLS):
Add rule inside OLS WebAdmin → Virtual Host → Context:
location ^/wp-content/uploads/ {
php_admin_flag engine Off
}
Disable Dangerous PHP Functions
Edit /etc/php/*/litespeed/php.ini:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Restart LSPHP:
systemctl restart lsws
Harden wp-config.php
chmod 600 wp-config.php
chown root:root wp-config.php
Block access via .htaccess (Apache/OLS):
<files wp-config.php>
order allow,deny
deny from all
</files>
Block Null Requests & Bad User Agents
Block bots that spread malware:
nano /etc/lsws/conf/httpd.conf
Add:
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^.*$ - [F,L]
Prevent Common Upload Attacks
Block double extensions:
location ~* \.(php\..*|\.php[34567]?|\.phtml)$ {
deny all;
}
Malware Removal Policy for Production Servers
| Action | Rule |
|---|---|
| Never delete before backup | Always create .bak copy |
| Remove all shells immediately | .ico.php, .cache.php |
| Replace modified core files quickly | Use wp core download --force |
| Lock file permissions after cleaning | Avoid re-infection |
Common Errors and Fixes
| Error Message | Cause | Fix |
|---|---|---|
command not found: imunify-antivirus | PATH not loaded or install failed | Run bash imav-deploy.sh again |
Permission denied | Not running as root | Use sudo |
Scan stuck or no progress | Large directory or broken symlink | Exclude dirs: --skip-mask flag |
Too many detections | Mass infection | Remove uploads PHP execution |
High CPU load | Running full scan during traffic | Schedule scan during off-peak hours |
Cannot clean malware | Free version limitation | Manual cleanup required |
Debug Scan Problems
View logs:
tail -f /var/log/imunify360/av.log
Check last 100 actions:
grep -i "scan" /var/log/imunify360/av.log | tail -n 100
Reset failed scan queue:
imunify-antivirus malware on-demand cleanup
How to Remove Stubborn Malware Files
Some malware sets immutable attributes to avoid deletion. Unlock first:
chattr -i <file>
rm -f <file>
Responding to Active Malware Attack
If malware keeps coming back:
-
Disable PHP uploads immediately.
-
Kill PHP backdoor sessions
pkill -f php -
Lock file writes
chattr +i wp-config.php
Emergency Clean Script (Safe)
find /home -type f -name "*.php" -mtime -1
Find newly modified files (common malware behavior).
Secure Scan + Report Workflow Script
imunify-antivirus malware on-demand start /home
imunify-antivirus malware malicious list --json > /root/malware-report.json
CLI Cheatsheet
| Task | Command |
|---|---|
| Scan folder | imav malware on-demand start <path> |
| Scan all sites | for d in /home/*/public_html; do imav malware on-demand start $d; done |
| List malware | imav malware malicious list |
| Malware info | imav malware malicious info --id <ID> |
| Ignore | imav malware ignore add --path <file> |
| Logs | tail -f /var/log/imunify360/av.log |
Maintenance Recommendations
| Frequency | Task |
|---|---|
| Daily | Scan uploads & plugins |
| Weekly | Full home directory scan |
| Monthly | PHP & WP hardening audit |
| Before migrate | Manual malware check |
Final Notes
ImunifyAV Free provides reliable malware detection, but requires manual cleanup. To build a secure WordPress VPS environment:
- Use UFW, Fail2Ban, and Cloudflare together
- Scan all uploaded files weekly
- Protect wp-config.php aggressively
- Avoid nulled plugins permanently
- Always backup before deleting malware