Malware scanning
The WAF and Patchstack stop attacks at the edge. Malware scanning is the backstop for anything that gets past them and lands on disk — a malicious upload, a backdoored plugin, an injected file from a compromise that predates your migration. Every site is scanned with ClamAV, both on a schedule and whenever you trigger a scan yourself, and detections drive a clean recovery loop.
The closed loop
Section titled “The closed loop”Scanning isn’t just an alert — it’s a path back to a known-good state:
-
Detect. A scheduled or on-demand scan compares your files against the ClamAV signature database and flags matches.
-
Quarantine. A detected file is isolated so it can’t execute or serve, while the original is preserved for inspection.
-
Inspect. You review what was found — which file, which signature — in the site’s Security tab, and decide whether it’s a true positive.
-
Restore clean. Roll the environment back to a snapshot taken before the infection, then re-scan to confirm it’s clean.
Running a scan
Section titled “Running a scan”Scheduled scans run automatically. To check a site immediately — after a migration, a suspicious report, or installing something from outside the official directory — trigger an on-demand scan:
Open the site, go to the Security tab, and choose Run scan. Progress and the result appear inline; any detections are listed with the file path and the matched signature.
Trigger a scan through the public API. Scanning is a non-instant operation, so it returns a job you can poll or stream.
curl -X POST https://api.managed.dev/v1/sites/site_01J7.../security/scans \ -H "Authorization: Bearer mfs_live_..." \ -H "Idempotency-Key: scan-2026-06-24-northwind" \ -H "Forge-Version: 2026-06-23"The call returns 202 Accepted with a job; follow its
links.stream for live progress. See the
security resource reference for the response shape and
required scope.
How detections surface
Section titled “How detections surface”A detection is recorded as a security event and shown in the site’s Security tab. For real-time response, two webhook events fire so you can wire scanning into your own tooling:
| Event | Fires when | scope |
|---|---|---|
malware.detected |
ClamAV flags one or more files on a site | security:read |
security.site_hacked |
A compromise is confirmed (e.g. detections plus other signals) | security:read |
Subscribe to these on a webhook endpoint to alert your team in Slack or PagerDuty the moment something is found, instead of waiting for someone to open the dashboard. Webhook deliveries are HMAC-signed — see signatures.
Remediation
Section titled “Remediation”When a scan flags a file:
- Confirm it’s real. Check the path and signature. Files in
wp-content/uploadsrunning as PHP, or unfamiliar files at the web root, are classic indicators. - Restore clean. Roll back to a snapshot from before the infection — the fastest reliable fix, since it replaces files and database in one step.
- Re-scan to confirm the environment is clean.
- Close the entry point. Update or remove the vulnerable plugin/theme, rotate any exposed secrets, and confirm Patchstack and the WAF are blocking the vector going forward.