1. bluehost knowledge base

VPS & Dedicated Hosting: Antivirus


If you suspect malware, shell scripts, exploits, or viruses on your VPS/Dedicated account, there are tools located in your WHM panel that can be used to scan for such malicious content. First, you will need to be able to login to your WHM. If you haven't done this before, please see How to Log into WHM.

When you go to your WHM login link, you will be presented with the following page:
WHM Login
Log in with the root user and password. If this is your first time logging into WHM, or if there was a recent cPanel update, you may see a page titled "Feature Showcase". Click on Exit to WHM at the bottom of the page:
Exit to WHM
There are two main types of virus scanning on VPS and Dedicated servers:

Installing and Using ClamAV

  1. In the top left-hand corner, type "clamav" in the search bar, then click on the Manage Plugins link.
  2. Click on the Install "ClamAV for cPanel".
    Install ClamAV
  3. Once the install is complete, you will see the "ClamAV for cPanel" is now installed message.
    ClamAV Installed
  4. Refresh the WHM panel and perform another search for "clamav" using the search bar. Click on Configure ClamAV Scanner, and make sure all boxes are checked.
    Configure ClamAV Scanner
  5. Search in WHM for "feature", and click on the Feature Manager. Choose "Bluehost" from the Manage feature list, then click edit
    WHM - Manage Feature List
  6. Enable Virus Scanning, and click Save. You can find this quickly by searching for "virus" on the Feature Manager page.
    WHM - Feature Manager - Virus Scanning
  7. Now that ClamAV is installed, you can manually run a scan from your server's command line as the root user.

    For more information on using SSH, please see SSH Access.

  8. Be sure to replace the $user with your cPanel username in the command below:

    root@server [~]# /usr/local/cpanel/3rdparty/bin/clamdscan -i /home/$user/
  9. Once the scan is complete, it will give you an output of flagged files and a scan summary. You can use this to help guide you in cleaning up your cPanel account.

You can uninstall ClamAV under the Manage Plugins section of your WHM panel.

Installing and Using ImunifyAV

Imunify360 is a new feature that gets shipped with cPanel starting in cPanel 88. Below are steps to install and use this new malware scanner.
  1. When you upgrade to cPanel 88, you will see the feature showcase in the "Feature Showcase". If you want to install ImunifyAV, make sure "Enable" is selected, then click the Save button at the bottom.
    WHM Feature Showcase
  2. If the Feature Showcase does not appear when logging into WHM, you can also install ImunifyAV manually via SSH.

    root@server [~]# wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
    root@server [~]# bash imav-deploy.sh
  3. Once the install process has begun, wait about 5-10 minutes for the install to finish. After it is complete, visit the ImunifyAV section in your WHM panel by typing "imunify" in the search bar and clicking ImunifyAV.
    WHM ImunifyAV
  4. From the ImunifyAV screen, click the actions button next to your cPanel account, and click "Scan for Malware". When it is done, it will give you results.
  5. If you have multiple accounts, you can select all accounts, and scan all at once.
    WHM - Install ImunifyAV

You can uninstall ImunifyAV via command line.

root@server [~]# bash imav-deploy.sh --uninstall

If you have deleted the imav-deploy.sh, you can re-download it first:

root@server [~]# wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh


If files show up on any of the malware scans, please note that some of the files might be vital to the functionality of your site and only contain snippets of malicious code that has been injected. You will want to work to remove the malicious code without deleting the file. Other files might be wholly malicious and should be deleted.

If you need assistance with the removal of malware we recommend reaching out to our malware scanning partner, SiteLock. SiteLock also has plans that include a content delivery network (CDN) and a web application firewall (WAF) that aid in protecting against malicious attacks.

Even with active firewalls, most of the vulnerabilities a hacker uses to gain access to your site and file structure are within your website scripts and software. It is vital to make sure all software is up to date, including any themes, plugins, and modules. This is the most important way to help prevent malware and keeping your account and server secure.