Get Module

Malware Scanning

In-depth guide to the malware scanning engine, pattern matching, and threat detection.

Malware Scanning

The core of the Security Suite — a pattern-based malware detection engine designed specifically for PrestaShop.

How Detection Works

The scanner uses a library of regex-based patterns organized into 15+ categories. For each file:

  1. File content is read into memory
  2. Each line is tested against enabled pattern categories
  3. Optionally, comment lines are filtered out to reduce false positives
  4. Matches are recorded with file path, line number, matched snippet, category, and severity

Scan Modes

Full Scan scans every file under the PrestaShop root directory. This is the most thorough mode — recommended for:

  • Initial setup after module installation
  • Periodic deep scans (monthly)
  • After suspected compromise

Quick Scan targets only high-risk directories:

  • /modules/ — Third-party and custom modules
  • /themes/ — Theme files
  • /override/ — Override files
  • /controllers/ — Controller files
  • /classes/ — Class files
  • /upload/ — User-uploaded files
  • /img/ — Image directories (for disguised files)

Quick Scan is ideal for routine daily or weekly checks.

Custom Scan lets you select specific directories. Use this for:

  • Investigating a specific module after a vulnerability disclosure
  • Checking recently uploaded content
  • Targeted scanning of custom directories

Batch Processing

Files are processed in configurable batches (default: 500 files per batch). This ensures the scanner works within PHP's execution time limits, making it compatible with shared hosting environments.

During a browser-based scan, each batch automatically triggers the next until all files are processed. The progress bar updates in real-time.

Disguised File Detection

A unique feature that checks image files for invalid headers. Attackers commonly hide PHP backdoors inside files named .jpg or .png. The scanner reads the first bytes of each image and verifies they match the expected format:

  • PNG: \x89PNG
  • JPEG: \xFF\xD8\xFF
  • GIF: GIF87a or GIF89a
  • WebP: RIFF...WEBP
  • ICO: Valid ICO header bytes

Files that don't match are flagged for review.

Handling Detections

After a scan, navigate to the Threats tab to review results. You can:

  • Quarantine — Isolate the file safely
  • Whitelist — Suppress the pattern (for false positives)
  • Delete — Permanently remove the file
  • Resolve — Mark as reviewed
  • Recheck — Re-scan a single file after cleanup