Malware Scanner & File Integrity Monitor for Magento 2

Signature-based malware scanner and file integrity monitor for Magento 2 — detects webshells, PolyShell payloads, PHP object-injection attacks, and polyglot files using regex, literal, filename, and pathglob signatures. Ships with quarantine support, an admin dashboard, scheduled scans, and email notifications so store owners know within minutes if their codebase has been tampered with.

Panth Malware Scanner is a production-grade security extension for Magento 2 and Adobe Commerce that combines a signature-driven malware scanner with a file integrity monitor. It recursively walks your Magento document root, matches every file against a curated signature catalog (regex patterns, literal byte sequences, suspicious filenames, and path globs), and flags any file that looks like a webshell, backdoor, cryptominer, or injection payload. Critical findings are automatically quarantined inside writable upload zones, a detailed admin grid surfaces every detection with file path, signature match, severity, and first-seen timestamp, and email notifications alert your team the moment a scheduled scan finds something suspicious.

Whether you are hardening a freshly migrated Magento 2.4.8 store, running a post-breach security audit, or just want continuous peace of mind, Panth Malware Scanner gives you enterprise-grade malware detection without the enterprise price tag.

The screenshots below were captured on a production Magento 2.4.8 install running Panth Malware Scanner, during the active PolyShell (APSB25-94) exploitation wave that started March 17, 2026. Every row is a real attacker request that hit the store and got shut down at the framework layer — no webshell ever executed.

What you're seeing: 807 blocked malicious requests across 41 pages — attackers probing /media/custom_options/quote/*.php, /pub/media/custom_options/quote/..., POST bodies starting with <?php, base64 GIF-header polyglot payloads (base64:R0lGODlh), and customer-attribute upload abuse via /tmp/phpXXX filenames. Every one blocked at the controller layer before the payload ever reached disk.

Earlier snapshot — 286 blocked requests. Same attack shapes: PolyShell polyglot uploads, rest_api base64 webshell uploads, customer_attribute tmpfile abuse. Each match has a source IP, the exact URI, the matched signature rule, and a severity flag — everything you need to trace an incident, file an abuse report, or block the IP at the WAF.

Get a free quote for your Magento security audit in 24 hours — malware removal, file integrity hardening, WAF setup, penetration testing, and ongoing security monitoring.

Visit our website: kishansavaliya.com  |  Get a quote: kishansavaliya.com/get-quote

• Live Proof — PolyShell Attacks Blocked on Our Own Stores
• Key Features
• How It Works
• Active Protection Layers
• Signature Types
• Compatibility
• Installation
• Configuration
• Admin Dashboard
• Scheduled Scans
• Quarantine
• Email Notifications
• FAQ
• Support
• About Panth Infotech
• Quick Links

Signature-Based Malware Scanning

• Four signature types — regex patterns, literal byte sequences, suspicious filenames, and pathglob matchers
• Curated signature catalog — covers PolyShell webshells, polyglot files, PHP object-injection payloads, eval-based backdoors, cryptominers, and known Magecart skimmers
• Vendor allowlist — prevents false positives on legitimate vendor/ composer dependencies
• Recursive filesystem walk — scans your entire Magento document root, skipping var/, generated/, pub/static/, and other noise directories

File Integrity Monitoring

• Baseline hashing — fingerprints every PHP file in core Magento and your custom modules
• Drift detection — flags any file whose hash changes between scans
• First-seen tracking — records when each malicious file first appeared on disk to aid incident response

Automatic Quarantine

• Zero-touch containment — critical severity findings inside writable upload zones (pub/media, var/import, custom options) are moved to a quarantine folder automatically
• Reversible — quarantined files are preserved with their original path metadata for restore or forensic review
• Safe by default — files outside writable zones are flagged only, never modified

Admin Dashboard & Grid

• Findings grid — filter, sort, and bulk-action every detection
• Signature catalog viewer — browse all active signatures with severity and description
• Scan history — every scan run logged with start/end time, files scanned, findings, and duration
• In-admin documentation — quick-reference guide for signature writing, quarantine handling, and allowlist management

Scheduled Scans & Alerts

• Cron-based scheduling — nightly, weekly, or custom cron expression
• Email notifications — instant alerts when a scan finds critical or high severity items
• Multi-recipient — send alerts to security, dev-ops, and store owner inboxes simultaneously

Security & Quality

• MEQP compliant — passes Adobe's Magento Extension Quality Program
• PHP 8.1 - 8.4 compatible — no deprecated APIs, strict types enabled
• Zero third-party libraries — uses only Magento framework and PHP standard library
• Lightweight — scans a typical 2.4.8 store in under 5 minutes

1. Cron trigger (or manual admin scan)
2. Recursive walker enumerates files (skips noise dirs)
3. Each file matched against signature catalog
 - regex | literal | filename | pathglob
4. Vendor allowlist filters known-safe composer packages
5. Findings recorded to database with severity + match
6. Critical findings in writable zones auto-quarantined
7. Email notification sent if threshold exceeded
8. Admin grid updated with latest scan results

Panth Malware Scanner ships with 11 active guard plugins that run in-line during request dispatch and file upload — each one closes a different part of the PolyShell attack chain. Guards are registered via etc/*/di.xml and are ALWAYS ON while the module is enabled. Every guard is fail-open: any internal error logs a warning and lets the request proceed, so a guard bug can never take the site offline.

Every blocked request is persisted to the panth_malware_blocked_request audit table with source IP, user agent, method, URI, matched signature, payload SHA-256, and a 500-character excerpt. Browse them under Admin → Panth Infotech → Malware Scanner → Blocked Requests.

Active guards can be reviewed read-only under Stores → Configuration → Panth Extensions → Malware Scanner → Active Protections.

Each signature declares a severity (critical, high, medium, low) and a human-readable description that appears in the findings grid.

Tested on:

• Magento 2.4.8-p4 with PHP 8.4
• Magento 2.4.7 with PHP 8.3
• Magento 2.4.6 with PHP 8.2

Composer Installation (Recommended)

composer require mage2kishan/module-malware-scanner
bin/magento module:enable Panth_Core Panth_MalwareScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush

Manual Installation via ZIP

1. Download the latest release ZIP from Packagist or the Adobe Commerce Marketplace
2. Extract contents to app/code/Panth/MalwareScanner/
3. Also install Panth_Core dependency
4. Run the commands above starting from bin/magento module:enable

Verify Installation

bin/magento module:status Panth_MalwareScanner
# Expected: Module is enabled

After installation navigate to: Admin → Panth Infotech → Malware Scanner

Settings live under Stores → Configuration → Panth Extensions → Malware Scanner.

Full admin surface in one screen — scan paths, exclude paths, file-extension allowlist, cron schedule, auto-quarantine toggle, Quarantine Zones (only these directories can have files auto-removed — app/code, vendor, lib, generated are always safe), Extra Allowlist Paths, the read-only Active Protections panel showing all 10 guard plugins wired through DI (Upload Guard, REST API Guard, GraphQL Guard, Custom Option Guard, Media Path Guard, Frontend Path Guard, Customer File Guard, Customer Attribute Guard, Image Content Guard, Webapi File Guard, Cart Custom Option Guard), and Email Notifications with severity threshold + sender.

The Panth Infotech → Malware Scanner admin area provides:

• Findings — paginated grid of every detection with path, signature, severity, first-seen, quarantined flag
• Signatures — browse the active signature catalog
• Scan History — timeline of every scan run with duration and counts
• Run Scan Now — trigger an ad-hoc scan from the admin
• Documentation — in-admin help pages for signature syntax, quarantine operations, and allowlist tuning

Scan Findings grid — the single place every detection surfaces. Columns are Severity (critical / high / medium / low), File Path (with click-through to the full finding detail), Matched Signatures (all rules that flagged this file, comma-separated), Status (active / quarantined / ignored), Size (bytes), First Seen, Last Seen, and Actions. The mass-actions dropdown at the top supports Quarantine & Delete (move the file into var/panth_malware_quarantine/ and drop from scan index), Delete Permanently (hard unlink — use after confirming the finding is malicious), and Mark as Ignored (keep it in the grid but stop alerting — for known-clean false positives). Run Scan Now in the header triggers an ad-hoc scan; the empty "0 records found" state shown here is what a hardened store should look like.

The module registers a Magento cron job that honours the Scan Schedule configuration. Default schedule runs every night at 02:00 server time. For manual triggering:

bin/magento panth:malware:scan

(Console command scaffolding ships with the module for CI pipelines.)

When a critical finding is detected inside a writable upload zone (for example pub/media, var/import, or custom options attachments), the file is moved — not copied — to the configured quarantine folder. Metadata is preserved so an authorised admin can:

• Review the file's original path and signature match
• Restore the file if it is a confirmed false positive
• Delete the file permanently after investigation

Files outside writable zones (for example files in app/code or vendor) are flagged only — never modified automatically — because changing them could break the store.

Two-Tier Removal: Quarantine vs Permanent Delete

Admins have two removal options per finding:

Both actions are available as mass actions in the Findings grid — select one or more rows, choose your action from the dropdown. The permanent delete is behind a confirmation dialog to prevent accidents.

When a scheduled scan finishes with findings at or above the configured severity threshold, an email is sent to every recipient in Notification Emails. The email includes:

• Store URL and hostname
• Scan start and end time
• Count of findings by severity
• Top 10 findings with file path and signature
• Direct link to the admin Findings grid

How is this different from a traditional antivirus?

Panth Malware Scanner is built specifically for Magento 2 filesystems — it understands the directory layout, knows which folders are writable from the frontend, and ships signatures tuned for Magento-targeted threats (Magecart skimmers, PolyShell webshells, admin-layout injection). Traditional AV tools scan everything with generic signatures and produce noise.

Does it prevent attacks or only detect them?

The Scanner module focuses on detection, quarantine, and alerting. For active prevention (upload guards, REST API filters) Panth Infotech also ships integrated firewall guards described in the module composer description.

Will it slow down my store?

No. Scans run via cron in the background. The file walker uses streaming reads and skips known-noise directories so a full scan of a typical 2.4.8 store completes in minutes, not hours.

Can I add my own signatures?

Yes. Signatures are declared in XML and merged across modules — add your own via an etc/panth_malware_signatures.xml file in a custom module.

What happens to quarantined files?

They are moved to var/panth_quarantine with full metadata. Nothing is deleted automatically — review and delete manually once confirmed malicious.

Does it work on Adobe Commerce Cloud?

Yes. The module is compatible with Adobe Commerce Cloud — quarantine path is configurable to a writable mount.

Is the source code available?

Yes. Source is on GitHub at github.com/mage2sk/module-malware-scanner.

Does it require Panth Core?

Yes. Panth_Core is a free required dependency — Composer installs it automatically.

Response time: 1-2 business days.

Need Custom Magento Security Work?

Looking for malware removal, post-breach cleanup, security hardening, or penetration testing for your Magento 2 store? Get a free quote in 24 hours:

Panth Malware Scanner is licensed under a proprietary license — see LICENSE.txt. You may install and use it on Magento installations you own or operate per your purchase agreement.

Built and maintained by Kishan Savaliya — kishansavaliya.com — a Top Rated Plus Magento developer on Upwork with 10+ years of eCommerce experience and a strong security focus.

Panth Infotech is a Magento 2 development agency specialising in high-quality, security-focused extensions and themes for both Hyva and Luma storefronts. Our extension suite covers security, SEO, performance, checkout, product presentation, customer engagement, and store management — over 34 modules built to MEQP standards and tested across Magento 2.4.4 to 2.4.8.

Browse the full extension catalog on the Adobe Commerce Marketplace or Packagist.

• Website: kishansavaliya.com
• Get a Quote: kishansavaliya.com/get-quote
• Upwork Profile (Top Rated Plus): upwork.com/freelancers/~016dd1767321100e21
• Upwork Agency: upwork.com/agencies/1881421506131960778
• Packagist: packagist.org/packages/mage2kishan/module-malware-scanner
• GitHub: github.com/mage2sk/module-malware-scanner
• Adobe Marketplace: commercemarketplace.adobe.com
• Email: kishansavaliyakb@gmail.com
• WhatsApp: +91 84012 70422

Ready to secure your Magento 2 store?

SEO Keywords: magento 2 security, malware scanner, file integrity monitor, magento security audit, magento malware detection, magento 2 webshell scanner, magento antivirus, magento security extension, magento file monitor, magento polyglot detection, magento php object injection, magento magecart detection, magento 2.4.8 security, panth malware scanner, panth infotech security, magento hardening, magento post-breach cleanup, magento penetration testing, magento cron security scan, magento quarantine, magento signature scanner, regex malware signatures, literal signature scanning, filename webshell detection, pathglob malware detection, magento vendor allowlist, magento admin security dashboard, magento email security alerts, magento scheduled security scan, hire magento security expert, top rated plus magento freelancer, kishan savaliya magento, mage2kishan, mage2sk