Hi everyone,
I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.
Specifically:
Files like /usr/bin/cat, libraries, and other ELF binaries
Located in paths such as:
/var/www/vhosts/system/<domain>/... or /var/www/vhosts/<domain>/usr/bin/
Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.
I also found this explanation from Plesk documentation:
https://support.plesk.com/hc/en-us/a...12377661896343
It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.
My questions:
At the moment it looks like a false positive caused by heuristic ELF detection, but I’d like to confirm if others are seeing the same behavior.
Thanks in advance for any insights.
I’ve recently encountered an issue on a Plesk server where ImunifyAV/Imunify360 started flagging multiple files as malware, even though they appear to be legitimate system binaries.
Specifically:
Files like /usr/bin/cat, libraries, and other ELF binaries
Located in paths such as:
/var/www/vhosts/system/<domain>/... or /var/www/vhosts/<domain>/usr/bin/
Detected as suspicious just because they are ELF binaries
From my analysis, these look like standard GNU/Linux binaries (e.g. GNU coreutils) and seem to be related to Plesk’s chroot/jail environment for subscriptions.
I also found this explanation from Plesk documentation:
https://support.plesk.com/hc/en-us/a...12377661896343
It suggests that Plesk creates these environments and copies system binaries there, which would explain their presence.
My questions:
- Are you experiencing the same issue recently?
- Did Imunify start flagging these files more aggressively for you as well?
- Are you treating this as false positives, or did you take any specific action (ignore rules, config changes, etc.)?
At the moment it looks like a false positive caused by heuristic ELF detection, but I’d like to confirm if others are seeing the same behavior.
Thanks in advance for any insights.
Comment