Announcement

Collapse
No announcement yet.

Error Security ImunifyAV - AI-BOLIT on Plesk

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Error Security ImunifyAV - AI-BOLIT on Plesk

    ImunifyAV - Revisium Antivirus v2.10.8-1
    PLESK Obisidian 18.0.49 U#2



    SOPHOS-DET-LINUX-SAV-MALWARE-PHP/WebShel-GA activity on host.
    After a thorough investigation, we determined that static detection triggered for a possible PHP webshell in "ai-bolit-hoster.php" file ('/opt/psa/admin/plib/modules/revisium-antivirus/library/externals/ai-bolit-hoster.php').
    OSINT determined that AI-BOLIT is an open-sourced scanner and is designed to scan the site for viruses and malware.

    > https://www.virustotal.com/gui/file/...4cf193dcdcea5f
    Tags: None
  • #2
    Hello Gregouz,

    The mentioned PHP file contains malware signature database indexes in base64-encoded form. The ai-bolit-hoster.php file is a part of the malware scanner engine.

    Since, by design, the tools used for scanning files and cleaning the infection are intended to scan the file contents and modify them during the cleanup, antivirus programs often see each other as malware and may cause false-positives.

    We also faced a couple of similar situations with Kaspersky, for example. This behaviour is explained by them here for your reference https://www.kaspersky.com/resource-c...ivirus-program

    If the extension was downloaded from the Plesk extension store and it was not modified, it is clean.
    If ImunifyAV is installed, you can do the following to make sure that files were not tampered with:

    1. Ensure the extension is of the most recent version:
    HTML Code:
    plesk bin extension --upgrade revisium-antivirus
    2. Compare the checksums for scanning engine files. For example, below is from our lab server with Plesk+ImunifyAV (ex. Revisium):
    HTML Code:
    ~]# sha256sum /usr/local/psa/admin/plib/modules/revisium-antivirus/library/externals/{ai-bolit-hoster.php,ai-bolit.php,procu2.php}
89fbb58268a6b126dea76047da7ba2498ad884f436ecbeaf1788e18f901781ee  /usr/local/psa/admin/plib/modules/revisium-antivirus/library/externals/ai-bolit-hoster.php
eb7a56affc8e6b16fad50ea33471a0c93914d3b5de47670f844cf193dcdcea5f  /usr/local/psa/admin/plib/modules/revisium-antivirus/library/externals/ai-bolit.php
3eaa9da4e9a6c8bebcb538a3171f64b72e4e5b6d50b363de0a831da35396dbf0  /usr/local/psa/admin/plib/modules/revisium-antivirus/library/externals/procu2.php​

    Comment

    Previous template Next
    Working...
    X