mage2kishan/module-malware-scanner

Active malware prevention + on-disk scanner for Magento 2. Three real-time guards (REST API, universal upload, custom-options) block PolyShell webshells, polyglot files and PHP-object-injection payloads BEFORE they touch disk. A nightly recursive scanner finds anything that slipped through, auto-qua

Maintainers

Package info

github.com/mage2sk/module-malware-scanner

Homepage

Type:magento2-module

pkg:composer/mage2kishan/module-malware-scanner

Statistics

Installs: 58

Dependents: 1

Suggesters: 0

Stars: 5

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

1.1.2 2026-06-18 09:36 UTC

Requires

  • php: ~8.1.0||~8.2.0||~8.3.0||~8.4.0
  • mage2kishan/module-core: ^1.0
  • magento/framework: ^103.0
  • magento/module-backend: ^102.0
  • magento/module-catalog: ^104.0
  • magento/module-config: ^101.2
  • magento/module-cron: ^100.4
  • magento/module-store: ^101.1
  • magento/module-ui: ^101.2
  • magento/module-webapi: ^100.4

proprietary 9c522c9b2bb99b97906ae9482a55c46e04880128

securityfirewallscannerwebshellhardeningmagento2antivirusmagento2-modulemalwarePolyShell

This package is auto-updated.

Last update: 2026-06-18 09:37:03 UTC

README

Magento 2 Malware Scanner: Real-Time Upload Guards, File Scanning, and Auto-Quarantine (Hyva + Luma)

Magento 2.4.4 - 2.4.8 PHP 8.1 - 8.4 Hyva + Luma Live Demo & Details Packagist Upwork Top Rated Plus Website

Protect your Magento 2 store from malware, webshells, and file-upload attacks. Panth Malware Scanner runs 11 inline guard plugins that block PolyShell payloads, polyglot files, and PHP injection attempts before they touch disk, then runs a nightly recursive scan of your codebase and auto-quarantines critical findings in writable upload zones.

Product page: kishansavaliya.com/magento-2-malware-scanner.html

Quick Answer

What is Panth Malware Scanner? It is a Magento 2 security extension that combines 11 real-time upload and request guards with a signature-based on-disk scanner, auto-quarantine, and email alerts, so malicious files are stopped at the framework layer and anything that slips through is caught in the next scan.

What does it add to my store?

  • 11 real-time guard plugins covering every Magento upload channel, REST API, GraphQL, and custom option uploads.
  • Signature-based recursive scanner that checks your entire Magento codebase against regex, literal, filename, and pathglob signatures.
  • Auto-quarantine for critical findings inside writable upload zones, with a two-tier removal flow (move to quarantine or hard delete).
  • Admin findings grid and blocked-request log so you can review every detection and blocked attack in one place.
  • Email notifications when a scan or guard blocks something at or above your configured severity level.

Which themes are supported? The module works on Hyva and Luma storefronts. It is a security layer with no storefront UI of its own.

What does it need? Magento 2.4.4 to 2.4.8, PHP 8.1 to 8.4, and the free mage2kishan/module-core package.

Live Proof: PolyShell Attacks Blocked on Our Own Stores

The screenshots below were captured on a production Magento 2.4.8 store running Panth Malware Scanner during the active PolyShell (APSB25-94) exploitation wave that started March 17, 2026. Every row is a real attacker request that hit the store and was shut down at the framework layer, before any webshell executed.

Panth Malware Scanner admin grid showing 807 blocked malicious requests — real PolyShell attacks against a live Magento 2.4.8 store, April 2026. Attackers targeted /media/custom_options/quote/*.php and /rest/V1/guest-carts endpoints; each request blocked with polyshell-path and base64:R0lGODlh signatures.

What you are seeing: 807 blocked malicious requests across 41 pages. Attackers probed /media/custom_options/quote/*.php, POST bodies starting with <?php, and base64 GIF-header polyglot payloads. Every one was blocked at the controller layer before the payload reached disk.

Blocked Malicious Requests admin grid — 286 records showing PolyShell polyglot payload attempts against /media/custom_options/quote/, suspicious customer_attribute uploads to /tmp/php*, and base64-encoded webshell uploads via the REST API.

Earlier snapshot — 286 blocked requests. Same attack shapes: PolyShell polyglot uploads, REST API base64 webshell uploads, customer attribute tmpfile abuse. Each match records the source IP, exact URI, matched signature rule, and severity.

Need Custom Magento 2 Development?

Get a free quote for your project in 24 hours for custom modules, security hardening, malware removal, Hyva themes, performance work, and Adobe Commerce Cloud.

Get a Free Quote

Kishan Savaliya

Top Rated Plus on Upwork

Hire on Upwork

100% Job Success • 10+ Years Magento Experience Adobe Certified • Security Specialist

Panth Infotech Agency

Magento Development Team

Visit Agency

Malware Removal • Security Audits • Hardening Performance • SEO • Adobe Commerce Cloud

Visit our website: kishansavaliya.com  |  Get a quote: kishansavaliya.com/get-quote

Table of Contents

Who Is It For

  • Store owners who were attacked and need to clean up, lock down uploads, and get ongoing monitoring so it does not happen again.
  • Agencies managing multiple Magento sites that need a single extension to cover upload guards, cron scanning, and email alerts across all stores.
  • Security-conscious developers who want code-level evidence that every upload channel is guarded before a store goes live.
  • Merchants on Magento 2.4.4 to 2.4.8 running Hyva or Luma who want protection against PolyShell (APSB25-94), Magecart skimmers, and eval-based backdoors without a third-party WAF.
  • DevOps teams that run CI pipelines and want a CLI command (bin/magento panth:malware:scan) they can wire into a deploy gate or daily health check.

Key Features

Real-Time Upload and Request Guards

  • 11 inline guard plugins registered via DI, active on every request while the module is enabled.
  • Universal upload guard hooking Magento\Framework\File\Uploader so every upload channel (WYSIWYG, product image, swatch, theme, customer, import) is covered in one place.
  • REST API guard scanning POST/PUT/PATCH bodies for raw and base64-encoded IOC needles.
  • GraphQL guard scanning mutation bodies and variable JSON.
  • Custom option guard blocking polyglot files at the product custom-option validator before they move to pub/media.
  • Cart custom option guard scanning file_content / base64_encoded_data keys at add-to-cart time (the primary PolyShell entry point).
  • Customer file guard and customer attribute guard covering customer address and customer attribute uploads with both content inspection and a configurable extension allowlist.
  • Image content guard enforcing a strict extension allowlist on admin catalog image uploads.
  • Media path guard and frontend path guard returning bare 404 responses when PHP/PHTML extensions are requested inside writable media directories or known PolyShell victim paths.
  • Webapi file guard catching REST service-contract uploads routed through the Webapi-specific uploader class.
  • Every blocked request is logged to the panth_malware_blocked_request table with source IP, user agent, matched signature, payload SHA-256, and a 500-character excerpt.

Signature-Based Filesystem Scanner

  • Four signature types: regex patterns, literal byte sequences, suspicious filenames, and pathglob matchers.
  • Curated signature catalog covering PolyShell webshells, polyglot files (image header + <?php), eval-based backdoors, PHP object-injection payloads, cryptominers, and known Magecart skimmers.
  • Built-in vendor allowlist for 28 known-clean dev/test packages (PHPUnit, PHPStan, Rector, Symfony polyfills, Composer internals, Magento test fixtures) so legitimate dependencies never produce false positives.
  • Configurable scan paths, exclude paths, and file size limit so you can focus scans and avoid noise directories.
  • First-seen and last-seen tracking for every finding aids incident response.

Automatic Quarantine

  • Zero-touch containment: critical findings inside writable upload zones (pub/media, var/import, var/export, var/tmp, var/importexport) are moved to var/panth_malware_quarantine/ automatically on every scan.
  • Hard-coded protection: files in app/code, vendor, lib, generated, bin, setup, pub/static are flagged only and never touched automatically.
  • Two-tier removal from the admin grid: Quarantine and Delete (move to quarantine folder, preserve for review) or Delete Permanently (hard unlink after confirming malicious).

Admin Dashboard and Grids

  • Scan Findings grid with severity colour coding, file path, matched signatures, status (new, quarantined, ignored), file size, first seen, and last seen.
  • Blocked Requests grid showing every guard-blocked request with source IP, URI, matched signature, severity, and payload excerpt.
  • Mass actions on the findings grid: Quarantine and Delete, Delete Permanently, and Mark as Ignored.
  • Ad-hoc scan trigger from the admin header so you can run a full scan any time.
  • In-admin Documentation and Hardening Guide covering signature syntax, quarantine operations, allowlist tuning, and nginx deny rules.

Scheduled Scans and Email Alerts

  • Cron-based scan on a configurable expression, default daily at 03:00 server time.
  • Email notifications when a scan or guard finds something at or above your configured severity threshold.
  • Multi-recipient support: send alerts to security, dev-ops, and store owner inboxes at the same time.
  • CLI command bin/magento panth:malware:scan for use in CI pipelines or manual on-demand scanning.

Extension Allowlist for Customer Uploads

  • Positive extension allowlist (default: jpg, jpeg, png, gif, webp, bmp, pdf, doc, docx, xls, xlsx) blocks arbitrary files like defacement .txt/.html, phishing pages, and stored-XSS .svg at upload time regardless of content.
  • Optional read-side janitor cron (default off) deletes already-on-disk files in pub/media/customer_address, pub/media/customer, and pub/media/custom_options whose extension is not on the allowlist.

Quality and Compatibility

  • Constructor injection only throughout the module, zero ObjectManager::getInstance() calls.
  • PHP 8.1 to 8.4 compatible with strict types enabled and no deprecated API usage.
  • Fail-open guards: any internal error in a guard logs a warning and lets the request proceed, so a guard bug can never take your store offline.
  • Full Page Cache friendly since all scanning runs out of band via cron or admin action.
  • Translation ready with all admin labels using Magento's __() function.

Active Protection Layers

Guard What it covers
Upload Guard Every Magento upload channel via Magento\Framework\File\Uploader
REST API Guard POST/PUT/PATCH request bodies in the webapi_rest area
GraphQL Guard GraphQL mutation bodies and variable JSON
Custom Option Guard Product custom-option file uploads at the validator
Cart Custom Option Guard file_content / base64_encoded_data keys at add-to-cart time
Customer File Guard saveTemporaryFile and moveTemporaryFile for customer address uploads
Customer Attribute Guard Frontend upload controllers for customer attribute files
Image Content Guard Admin catalog image uploads with strict extension allowlist
Media Path Guard Executable extension requests in writable media dirs via pub/get.php
Frontend Path Guard Known PolyShell victim paths at the FrontController level
Webapi File Guard REST service-contract file uploads via the Webapi uploader class

All 11 guards are registered via etc/*/di.xml. They are always active while the module is enabled and cannot be toggled off from the admin. The Active Protections panel in Stores Configuration is read-only and shows their status.

Signature Types

Type Description Example
regex PCRE pattern matched against file contents eval\s*\(\s*base64_decode\s*\(
literal Exact byte sequence search PolyShell magic header bytes
filename Matches file basename c99.php, r57.php, shell.php
pathglob Glob pattern against full relative path pub/media/*.php

Each signature has a severity (critical, high, medium, low) and a description shown in the findings grid. You can add your own signatures via etc/panth_malware_signatures.xml in a custom module.

Compatibility

Requirement Versions Supported
Magento Open Source 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
Adobe Commerce 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
Adobe Commerce Cloud 2.4.4 to 2.4.8
PHP 8.1.x, 8.2.x, 8.3.x, 8.4.x
MySQL 8.0+
MariaDB 10.4+
Hyva Theme 1.0+ (compatible, no storefront UI)
Luma Theme Native support
Required Dependency mage2kishan/module-core (free)

Installation

Composer Installation (Recommended)

composer require mage2kishan/module-malware-scanner
bin/magento module:enable Panth_Core Panth_MalwareScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush

Manual Installation via ZIP

  1. Download the latest release from Packagist or from the product page.
  2. Extract it to app/code/Panth/MalwareScanner/ in your Magento install.
  3. Make sure Panth_Core is installed too (required dependency).
  4. Run the commands above starting from bin/magento module:enable.

Verify Installation

bin/magento module:status Panth_MalwareScanner
# Expected: Module is enabled

After install, open:

Admin → Panth Infotech → Malware Scanner

Configuration

Go to Stores → Configuration → Panth Extensions → Malware Scanner.

Setting Group Default Description
Enable Module General Yes Master toggle for the module. Disabling stops all guards and scans.
Max File Size to Scan (KB) General 2048 Files larger than this are skipped during disk scans.
Scan Paths General pub/media, app/code, vendor, var, generated, lib, bin, setup, pub/static Paths to scan, one per line, relative to Magento root.
Exclude Paths General var/cache, var/log, var/page_cache, generated/code Paths to skip, one per line.
File Extensions to Scan General php, phtml, phar, php3-7, phps, inc, htaccess, jpg, jpeg, png, gif, svg, html, htm, js Comma-separated list.
Enforce Extension Allowlist on Customer Uploads General Yes Rejects customer-facing uploads whose extension is not on the allowlist, regardless of content.
Customer Upload Extension Allowlist General jpg,jpeg,png,gif,webp,bmp,pdf,doc,docx,xls,xlsx Comma-separated. Only shown when the enforce toggle is on.
Enable Cron Scan Scheduled Scan Yes Enables the nightly background scan.
Cron Expression Scheduled Scan 0 3 * * * When to run the scheduled scan. Default is daily at 03:00.
Auto-Quarantine Critical Findings Active Protection Yes Moves critical-severity files inside Quarantine Zones to var/panth_malware_quarantine/ automatically.
Quarantine Zones Active Protection pub/media, var/import, var/export, var/tmp, var/importexport Only files in these directories can be auto-quarantined.
Purge Non-Allowlisted Customer Uploads Active Protection No Optional cron that deletes existing files in customer upload dirs whose extension is not on the allowlist. Default off.
Extra Allowlist Paths Active Protection (empty) Path prefixes to skip during scanning. Extends the built-in vendor allowlist.
Active Protections panel Active Protection (read-only) Shows all 11 guard plugins wired through DI. Informational only.
Send Email on Detection Email Notifications Yes Send an alert when a scan or guard triggers at or above the severity threshold.
Recipient Emails Email Notifications store owner Comma-separated recipients, one per line.
Minimum Severity for Email Email Notifications high Critical, high, medium, or low.
Sender Email Notifications General Contact Which store email identity to send alerts from.

How It Works

  1. A request comes in (file upload, REST call, GraphQL mutation, add-to-cart with custom option).
  2. The relevant guard plugin inspects the payload before it reaches disk. If a match is found, the request is rejected, a log entry is written to panth_malware_blocked_request, and an HTTP error is returned.
  3. If the file reaches disk (for example a file uploaded before the module was installed), the nightly cron scanner walks the configured scan paths, checks each file against the signature catalog, and writes findings to panth_malware_scan_result.
  4. Critical findings inside Quarantine Zones are moved to var/panth_malware_quarantine/ with mode 0600.
  5. If new findings are at or above the email threshold, a notification is sent to the configured recipients.
  6. Admins review findings in the Scan Findings grid and blocked requests in the Blocked Requests grid. Mass actions let you quarantine, delete permanently, or mark as ignored.

Admin Dashboard

Open Admin → Panth Infotech → Malware Scanner.

The admin area has four pages:

  • Scan Findings — paginated grid of every on-disk detection with severity, file path, matched signatures, status, file size, first seen, last seen, and row-level actions.
  • Blocked Requests — every request blocked by a guard plugin, with source IP, URI, method, matched signature, severity, and payload excerpt.
  • Configuration — link to the Stores Configuration section.
  • Documentation and Hardening Guide — in-admin reference covering signature syntax, quarantine operations, allowlist tuning, nginx deny rules, and the CLI command.

Panth Malware Scanner findings grid — clean 0-records state on a production Magento store, showing mass actions dropdown (Quarantine & Delete, Delete Permanently, Mark as Ignored), Run Scan Now button, Documentation & Hardening Guide link.

Panth Malware Scanner admin configuration screen showing General, Scheduled Scan, Active Protection, Active Protections panel, and Email Notifications groups.

Scheduled Scans

The module registers a Magento cron job that honours the Cron Expression setting. The default schedule runs every night at 03:00 server time. You can also trigger an ad-hoc scan from the admin or run it from the command line:

bin/magento panth:malware:scan

This command works in CI pipelines and outputs a progress summary to stdout.

Quarantine

When a critical finding is detected inside a configured Quarantine Zone (for example pub/media or var/import), the scanner moves the file to var/panth_malware_quarantine/ with mode 0600. The file is not deleted. You can review it, restore it if it is a false positive, or delete it permanently from the findings grid.

Files outside writable zones (app/code, vendor, lib, generated, bin, setup, pub/static) are flagged only and never touched automatically, so a guard or scanner bug can never break your codebase.

Two-Tier Removal from the Findings Grid

Action What happens When to use
Quarantine and Delete File is moved to var/panth_malware_quarantine/. Original path is removed. Evidence is preserved. Default handling for any suspicious finding.
Delete Permanently File is hard-unlinked. No recovery possible. After confirming malicious and when you no longer need the file for evidence.

Both actions are available as mass actions in the Findings grid. Permanent delete requires confirmation.

Email Notifications

When a scheduled scan finishes with findings at or above the configured severity threshold, an email is sent to every address in Recipient Emails. The email includes:

  • Store URL and hostname
  • Scan start and end time
  • Count of findings by severity
  • Top 10 findings with file path and matched signature
  • Direct link to the admin Findings grid

FAQ

Does this block PolyShell attacks?

Yes. The cart custom option guard, custom option guard, and upload guard specifically target the PolyShell (APSB25-94) attack chain. Every blocked request is logged with the exact matched signature so you can see what was blocked and when.

Does it prevent attacks or only detect them?

Both. The 11 guard plugins run inline and block uploads and requests before they reach disk. The cron scanner detects anything that was on disk before the module was installed or that bypassed the guards.

Will scanning slow down my store?

No. Scans run in the background via cron. Guards are fail-open, meaning any internal error logs a warning and lets the request through, so a guard bug cannot take the store offline. File scanning uses streaming reads and skips noise directories.

Can I add my own signatures?

Yes. Add an etc/panth_malware_signatures.xml file in a custom module. Signatures declared there are merged into the main catalog at runtime.

What happens to quarantined files?

They are moved to var/panth_malware_quarantine/ with full path metadata. Nothing is deleted automatically during quarantine. Review and delete from the findings grid once you have confirmed the file is malicious.

Does it work on Adobe Commerce Cloud?

Yes. The module is compatible with Adobe Commerce Cloud. Set the quarantine path to a writable mount in your configuration.

Can I disable individual guards?

No. Guards are registered via DI and are always active while the module is enabled. The Active Protections panel in admin configuration shows their status but is read-only. If you need to remove a guard, that requires a code change.

Does the extension allowlist break legitimate customer uploads?

No, as long as you keep the default allowlist (jpg, jpeg, png, gif, webp, bmp, pdf, doc, docx, xls, xlsx). Only add extensions your store genuinely needs. Never add txt, html, svg, or php variants.

Does Panth Malware Scanner need Panth Core?

Yes. mage2kishan/module-core is a free required dependency that Composer installs for you automatically.

Support

Channel Contact
Product Page kishansavaliya.com/magento-2-malware-scanner.html
Email kishansavaliyakb@gmail.com
Website kishansavaliya.com
WhatsApp +91 84012 70422
GitHub Issues github.com/mage2sk/module-malware-scanner/issues
Upwork (Top Rated Plus) Hire Kishan Savaliya
Upwork Agency Panth Infotech

Response time: 1-2 business days.

Need Custom Magento Development?

Looking for malware removal, post-breach cleanup, security hardening, custom module development, or Hyva theme work? Get a free quote in 24 hours:

Get a Free Quote

Hire on Upwork    Visit Agency    View Product Page

About Panth Infotech

Built and maintained by Kishan Savaliya (kishansavaliya.com), a Top Rated Plus Magento developer on Upwork with 10+ years of eCommerce experience.

Panth Infotech is a Magento 2 development agency that builds high quality, security focused extensions and themes for both Hyva and Luma storefronts. The extension suite covers security, SEO, performance, checkout, product presentation, customer engagement, and store management, with each module built to MEQP standards and tested across Magento 2.4.4 to 2.4.8.

Browse the full extension catalog on our Magento extensions page or on Packagist.

Quick Links

Resource Link
Product Page magento-2-malware-scanner.html
Packagist mage2kishan/module-malware-scanner
GitHub mage2sk/module-malware-scanner
Website kishansavaliya.com
Free Quote kishansavaliya.com/get-quote
Upwork (Top Rated Plus) Hire Kishan Savaliya
Upwork Agency Panth Infotech
Email kishansavaliyakb@gmail.com
WhatsApp +91 84012 70422

Ready to protect your Magento 2 store from malware and webshell attacks?
See Malware Scanner

SEO Keywords: magento 2 malware scanner, magento 2 security extension, magento 2 webshell protection, polyshell magento, magento file integrity monitor, magento malware detection, magento 2 antivirus, magento upload guard, magento rest api security, magento graphql security, magento auto quarantine, magento admin security grid, magento scheduled security scan, magento custom option upload protection, magento polyglot file detection, magento eval backdoor detection, magento magecart scanner, magento php object injection, magento 2.4.8 security, magento 2 apsb25-94, magento customer upload allowlist, magento 2 file scan extension, magento cron security scan, magento quarantine malware, magento signature scanner, magento regex malware signatures, magento blocked requests log, magento admin malware dashboard, magento blocked request audit, panth malware scanner, panth infotech security, hire magento security expert, top rated plus magento freelancer, kishan savaliya magento, mage2kishan, mage2sk