ImunifyAV/Imunify360 started flagging multiple files as malware

Hi,

Thank you for the clarification.

If the detections disappeared after the previous adjustment and then returned after the latest update, this needs to be reviewed again with the current package/signature versions and affected file examples. It may be related to the same Plesk chroot-shell path handling case we previously escalated internally, or it may be a new/changed detection pattern after the update.

Since this requires checking your current environment and specific detections, please open a Support ticket, or share the ticket ID here if you have already created one. In the ticket, please include:
- the current Imunify package versions;
- several examples of the detected file paths;
- the detection name/reason shown in Imunify;
- whether the affected paths are still related to Plesk chroot/jail shell directories;
- the approximate time when the issue returned after the update.

This will allow our Support and malware processing teams to verify whether the previous exclusion still applies correctly or whether an additional adjustment is needed.

As a temporary workaround, if you have already confirmed that these are legitimate Plesk chroot binaries, you may avoid cleaning/removing them while the case is being reviewed. We understand that you prefer not to add them to the Ignore List, so the support ticket is the best path to have this checked on our side.

it was already ok, but on latest update that issue returned.

Hi,

Sorry to know you're still experiencing this issue.

Please submit a ticket to our Support Team on this.

after update on imunity EV problem come back.

Thank you for the details!
Consulted with the Imunify Team - they've opened an internal case for this, and our malware processing team is on it (DEF-40647). We are excluding the paths generated by the Plesk chrootshell.

imunifr-antivirus - 8.7.1-1
imunify-ui-8.10.1-2
imunifr-core - 8.9.0-3

Thanks for a quick reply, got it.

Could you please share the Imunify version you are using? e.g.:
I am also interested in the antivirus module version so that I can consult it internally with our colleagues.

Hi, I assume that’s the case. This notification has been appearing for a few days now. It detects exactly 59 files in those subscriptions where these executable files are located in the usr directory. Previously, this didn’t happen at all, but now the same message appears in all subscriptions that contain these files.

I don’t want to add this to the exclusion list. I believe this should be handled on your side, so you can analyze why your software is detecting it this way. I don’t want to add it to exclusions to avoid accidentally overlooking something later.

I have scanned several of these files, and none of the executables appear to be viruses or anything suspicious.

Hello,

From what I can see, these detections appear to be related to legitimate binary files located under the account path, which can be flagged by Imunify’s Binary (ELF) malware detection. This may happen, for example, when such files are present as part of a chrooted environment or similar setup.

(1-2) We do not currently see this as a widespread recent pattern on our side. Also, at the moment, we do not have signs that Imunify started flagging these files more aggressively in general.

(3) If these files are expected and trusted on your server, this would be considered a false positive. In this case, you have a few options:

1. Report the detected files as false positive: https://cloudlinux.zendesk.com/hc/en...gative-results
2. Ignore them if you have already confirmed they are legitimate: https://cloudlinux.zendesk.com/hc/en...alware-scanner
3. Apply the workaround from https://cloudlinux.zendesk.com/hc/en...-as-malicious:
   • disable Binary (ELF) malware detection, or
   • move such binaries to a dedicated directory and add that directory to the ignore list.

Please note that disabling ELF binary detection may reduce the protection scope, so the ignore-list approach is usually the safer option if these files are known to be legitimate.