I want to introduce a malware scanner that really convinced me: ISPProtect Web Scanner.
The scanner is designed for the monitoring of web pages and is distributed by the company ISPConfig UG, which also develops the OpenSource-Project ISPConfig.
The different licenses are based on the desired use (only one server or a certain number of scans), and they are quite appropriate. The annual license for one server is available for 82.80 EUR, 50 scans can be purchased for 35.00 EUR (excl. Tax).
I would like to point out that I have nothing to do with this project. I’m just a happy user.
The results are far better than eg., a scan with clamav or maldetect. As with other scanner is also true that not every as infected classified file is actually malware. But I have not seen a false-positive more in the last months.
Unlike other products ISPProtect Web Scanner searches not only for malware but is also capable of outdated CMS and some of the associated plugins and themes. Currently versions for the following programs are checked: WordPress, Joomla, Drupal, MediaWiki, Contao, Magento eCommerce, Woltlab Burning Board, CMS made simple, PhpMyAdmin, Typo3, and Roundcube.
Depending on the license ISPProtect Webscan can be used on own server to scan websites as well as on customer servers. I use the scanner on my servers as well as on customer servers that occur problems with malware (usually goes with tons of emails associated). Due do the two different scan cycles of ISPProtect Web Scanner, this tool can be used in principle also for the complete scan of the server. but I think this is the intended use.
The default values in a scan-call are quite reasonable. If mails are stored below the web directories that should be excluded as the data directory of OwnCloud. ndividual directories or files can be excluded with --exclude="*.jpg" --exclude="**/sess/*_abcde". Instead of working with excludes, you can also define the max. size with --max-scansize=. Whether you effectively have to also scan logs, is another question. But even that is controllable by –exclude.
After a scan results can be sent to one or more email-addresses. But you can also query the exit code from a script and then react individually. The exit codes are:
1 = Malware,
2 = Versionen
4 = Plugins
or combinations thereof.
Reference is made here to the self-explanatory documentation.