Integration with Virusdie

Introduction

Virusdie is a security tool that helps you clean and protect your websites from malware, spam-bots, etc. (in PHP, JS, HTML files and system files).

Virusdie is supported starting from ISPmanager 5.79.0 .

This article walks you through the steps you need to perform to integrate ISPmanager 5 with the anti-virus system. You can learn more about Virusdie itself here.

IMPORTANT! This plugin will work only if your server has real IP-address. If you are using NAT, this module will not work.

Official website of Virusdie.

Virusdie integration page on ISPmanager website.

Order

You can purchase a plug-in as described in the article.

Note: if you run ISPmanager Business, you need to purchase a license for every web-node.

Setup and integration

Navigate to "Integration" ⇾ "Modules" and click the "Install" button.

The configuration form will open automatically. Click "Ок" to install the antivirus system on the server.

During the installation process, your server's IP address will be passed to the billing system, and information about Virusdie key will be updated in the ISPmanager license. After the license key is obtained, ISPmanager will download the installation package of the antivirus system. The archive is uploaded into the /usr/local/vdserver/ directory, the license key is added into the Virusdie /usr/local/vdserver/config.json configuration file (it is used by anti-virus scanner to download updates).

Attention! ISPmanager IP address should match the IP, from which request for VirusDie is sent.

After you have successfully deployed Virusdie on the server, a new module will be available in the interface menu ("Tools" ⇾ "Virusdie"). In the table, you'll see all users on the server. You can grant or deny access to Virusdie settings for users with "On" and "Off" buttons.

In order to configure Virusdie, navigate to "Tools" ⇾ "Virusdie" ⇾ "Virusdie settings", where you can enter a license key, delete Virusdie from the server, and set the limit on the antivirus report size, which will be processed by the control panel (see below).

On this form the administrator can perform the following operations:

• find out a licensing key
• find out the current and the latest version
• specify the number of concurrent threads during the check
• select options for scanning archives and disable the filter by file extensions (by default Virusdie scan the following extensions: htm, html, php, phps, phtml, js, pl, perl, asp, aspx, inc, tpl, class, htaccess, svg, png, gif, jpg, jpeg, ico, tif, tiff, bmp, tga)
• delete Virusdie from the server
• specify the maximum size of anti-virus report that the control panel can handle.

The anti-virus scanning can be activated manually by admin or user or will run automatically on a daily basis (every night). Once completed, a new report will be generated. You will be able to view that report in the control panel.

User access

With Virusdie installed on the server, a control panel's administrator will be able to restrict access to Virusdie for his users.

Navigate to "Users" ⇾ "Edit" ⇾ the "Access" tab.

Select the following check boxes:

• Anti-virus scanning (Virusdie) — enable automatic anti-virus scanning on a daily basis (every night);
• Allow access to Virusdie — a user will be able to view anti-virus scanning reports, and run anti-virus scanning manually.

You can also manage these settings in "Tools" ⇾ "Virusdie".

Anti-virus scanning configuration

Administrator and user have different management tools to configure anti-virus scanning.

In order to change the settings, navigate to "Tools" ⇾ "Virusdie" ⇾ "Parameters".

If the anti-virus tool detected an infected file, Virusdie can disinfect it. You can select the following options:

• Disinfect automatically — disinfect the selected file;
• Delete files — delete the infected file, if required (if this option is not selected, the file will be added into the report, and won't be deleted).

On this form you can also specify the following parameters:

• The maximum number of reports to keep
• The maximum file size during scanning — the system will check files which size is less than the value specified in this field.
• File modification date -the system will check the files after the specified date.

The options set by the administrator selects in this form will be applied when he starts anti-virus scanning manually, or when automatic scanning starts every day. The options set by the user will be applied only for anti-virus checks that the user run manually.

In the "Save reports" field the administrator can set the maximum number of check reports that will be saved for the selected user. If the limit is reached for that user, the oldest report will be deleted before saving a new one.

Excluding files from anti-virus scanning

Administrator and users can select files and directories that won't be checked by the anti-virus tool.

Navigate to "Tools" ⇾ "Virusdie" ⇾ "Exclude"

Virus searching algorithm

1. Information about a report in added into the virusdie_reports table of ISPmanager database;
2. The virusdie directory is checked in the user's home directory;
3. In the virusdie directory in the user's home directory antivirus creates the excludes.txt file with a list of files that will be excluded (directories have the "/" symbols at the end) is created;
4. A background task with required parameters for anti-virus scanning is started (the /usr/local/mgr5/var/virusdie/runvdscan.sh script);
5. A periodic task is started every minute to collect information about reports:
   1. If the anti-virus background task is already running for that user, reports are skipped;
   2. If the background task is not running, a report file is checked (the /virusdie user directory):
      • If the report file is not present, report information is uploaded into the control panel's database, and the threats file (scan.json) is copied from the report archive into the /usr/local/mgr5/var/virusdie/username/ directory;
      • If the report file is not present, the report is marked suspicious;
      • If the report file is not present, and the report is marked suspicious (the second report check), the report will be deleted;
6. The report that was successfully checked, is shown in the list of reports.

If the scan.json or stat.json file in the report archive, exceed the size specified in the "Maximum report size" parameter of the Virusdie configuration form, the report won't be uploaded into the control panel, but the report file will be available in the directory (the /virusdie user home directory).

Database update

Virusdie database is located on Virusdie servers, and get updated once in 24 hours. Updates will be checked every time the scanning process starts.

Logs

The scanning tool doesn't have logs.

License information update

If the Virusdie license key is changed, you need to log in to ISPmanager-> Modules-> Virusdie settings, and renew information about your Virusdie license.

Scheduled user check

Starting from ISPmanager 5 5.85.0 you can take advantage of additional configuration for scheduled anti-virus scanning.

You can set the maximum number of simultaneous checks and priority.

Trial version

In ISPmanager 5 Lite 5.101.0 and later users can install a trial version of Virusdie.

Important notes

• you need to have an active ISPmanager license
• Only one check per month
• The check should be run with Admin permissions
• The anti-virus tool will check /var/www
• Administrators cannot enable/disable access to the tool for their users
• The tool does not allow cure/delete/view infected files

Upgrade to a commercial version

In order to upgrade to a commercial version, you need to order Virusdie for your ISPmanager.

• If you order Virusdie by clicking the "Buy" button in Integration->Modules, you will be redirected to a commercial license of Virusdie, if at that moment the license already contains information about Virusdie.

• If you access the billing system in some other way, you will see the following notification on the Virusdie form when you are allowed to upgrade to the full version

Clicking Details will redirect you to the above form for conversion.

Email notifications

ISPmanager 5 Lite and ISPmanager 5 Business starting from 5.106.0 can send Virusdie scanning reports

Configuration

Log in to ISPmanager as admin, navigate to the Virusdie configuration form, and select "email notifications".

Notifications are activated for administrator and every user. To enable notifications for the administrator, select Administrator notifications and enter the following information:

• email to send notifications
• period to send reports

If email notifications were not configured on the server, you will be first redirected to the corresponding form.

Every user who can use Virusdie can set up email notifications that will be sent after anti-virus scanning.

Sending reports

Users who activated notifications will receive reports after every anti-virus scanning.

At a specified period the system will check whether new anti-virus scanning reports are generated for the administrator.

If new reports are generated, the system will group them into a single report containing the information about the number of scanned users and total threats.

Trial license

To be able to use Virusdie trial, you must have a commercial license for ISPmanager. Virusdie trial cannot be activated for ISPmanager trial.

Suspicious files

Starting from version 5.151.0 you can send file suspicious signatures to Virusdie.

Most modern anti-viruses and vulnerability scanners use «syntax» signatures taken directly from the virus file body or network package. To improve the antivirus you can upload files and specify their types as False-negative or False-positive.

If the anti-virus scanning detected the file as a virus, but it is not, you need to select "False-positive".

If the anti-virus scanning detected the file as secure, but it is not, you need to select "False-negative".

Interface

Open the Virusdie form as admin or user and click the "Signatures" button to open a list of sent signatures.

Send

To send a file for the check, click the "Upload" button.

This mechanism allows sending only those files that are located in users' home directories.

You can also send signatures from the File manager. To do so, select one or several files and click the "Signature" button. Administrators can send files only in ISPmanager Lite.

The last way to send a file is from Virusdie scanning report. In the list of found threats, you need to select the file that was marked as malicious by mistake and click the "Signature" button.

Update

Clicking Update will request statuses of the sent files and set actual statuses for requests.

The system sends the signatures to the Virusdie server. Team Virusdie change and create rules for finding and curing threads. Team Virusdie reserve the right to handle them as they want and ignore some of them. In that case, the signature status will change into "File ignored". If the file was processed and a new rule was created based on that file, the signature status will change into "Procedure completed".

Please note: you can delete the request that has just been processed.