Skip to content

Malware scanning

The WAF and Patchstack stop attacks at the edge. Malware scanning is the backstop for anything that gets past them and lands on disk — a malicious upload, a backdoored plugin, an injected file from a compromise that predates your migration. Every site is scanned with ClamAV, both on a schedule and whenever you trigger a scan yourself, and detections drive a clean recovery loop.

Scanning isn’t just an alert — it’s a path back to a known-good state:

  1. Detect. A scheduled or on-demand scan compares your files against the ClamAV signature database and flags matches.

  2. Quarantine. A detected file is isolated so it can’t execute or serve, while the original is preserved for inspection.

  3. Inspect. You review what was found — which file, which signature — in the site’s Security tab, and decide whether it’s a true positive.

  4. Restore clean. Roll the environment back to a snapshot taken before the infection, then re-scan to confirm it’s clean.

Scheduled scans run automatically. To check a site immediately — after a migration, a suspicious report, or installing something from outside the official directory — trigger an on-demand scan:

Open the site, go to the Security tab, and choose Run scan. Progress and the result appear inline; any detections are listed with the file path and the matched signature.

The Security tab in the app.managed.dev dashboard with the malware-scanning panel: a “Run scan” button, the timestamp of the last scheduled scan, and a results list showing one quarantined file with its path and the ClamAV signature name.

A detection is recorded as a security event and shown in the site’s Security tab. For real-time response, two webhook events fire so you can wire scanning into your own tooling:

Event Fires when scope
malware.detected ClamAV flags one or more files on a site security:read
security.site_hacked A compromise is confirmed (e.g. detections plus other signals) security:read

Subscribe to these on a webhook endpoint to alert your team in Slack or PagerDuty the moment something is found, instead of waiting for someone to open the dashboard. Webhook deliveries are HMAC-signed — see signatures.

When a scan flags a file:

  1. Confirm it’s real. Check the path and signature. Files in wp-content/uploads running as PHP, or unfamiliar files at the web root, are classic indicators.
  2. Restore clean. Roll back to a snapshot from before the infection — the fastest reliable fix, since it replaces files and database in one step.
  3. Re-scan to confirm the environment is clean.
  4. Close the entry point. Update or remove the vulnerable plugin/theme, rotate any exposed secrets, and confirm Patchstack and the WAF are blocking the vector going forward.