Knowledge Base
 Up to 70% off  on  WordPress  hosting for WordPress Websites and Stores!

VPS & Dedicated Hosting: Antivirus


If you suspect malware, shell scripts, exploits, or viruses on your VPS/Dedicated account, there are tools located in your WHM panel that can be used to scan for such malicious content. First, you will need to be able to login into your WHM. If you haven't done this before, please see How to Log into WHM.

When you go to your WHM login link, you will be presented with the following page:
WHM Login
Log in with the root user and password. If this is your first time logging into W + HM, or if there was a recent cPanel update, you may see a page titled "Feature Showcase." Click on Exit to WHM at the bottom of the page:
Exit to WHM
There are two main types of virus scanning on VPS and Dedicated servers:

Installing and using ClamAV

  1. Type ClamAV in the search bar in the top left-hand corner, then click on the Manage Plugins link.
    Install ClamAV
  2. Click on the Install ClamAV for cPanel.
    Install ClamAV
  3. Once the installation is complete, you will see the ClamAV for cPanel is now installed message.
    ClamAV Installed
  4. Refresh the WHM panel and perform another search for ClamAV using the search bar. Click on Configure ClamAV Scanner, and make sure all boxes are checked.
    Configure ClamAV Scanner
  5. Search WHM for feature, and click on the Feature Manager. Choose Bluehost from the Manage feature list, then click edit
    Configure ClamAV Scanner
  6. Enable Virus Scanning, and click Save. You can find this quickly by searching for virus on the Feature Manager page.
    Install ClamAV
  7. Now that ClamAV is installed, you can manually run a scan from your server's command line as the root user.
  8. For more information on using SSH, please see SSH Access.
  9. Be sure to replace the $user with your cPanel username in the command below:

    root@server [~]# /usr/local/cpanel/3rdparty/bin/clamdscan -i /home/$user/
  10. Once the scan is complete, it will give you an output of flagged files and a scan summary. You can use this to help you clean up your cPanel account.

You can uninstall ClamAV under the Manage Plugins section of your WHM panel.

Installing and using ImunifyAV

Imunify360 is a new feature that gets shipped with cPanel starting in cPanel 88. Below are the steps to install and use this new malware scanner.

  1. When you upgrade to cPanel 88, you will see the feature showcase in the Feature Showcase. If you want to install ImunifyAV, make sure Enable is selected, then click the Save button at the bottom.
    WHM Feature Showcase
  2. If the Feature Showcase does not appear when logging into WHM, you can install ImunifyAV manually via SSH.

    root@server [~]# wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
    root@server [~]# bash imav-deploy.sh
  3. Once the installation process has begun, wait about 5-10 minutes for the installation to finish. After completing it, visit the ImunifyAV section in your WHM panel by typing imunify in the search bar and clicking Security Advisor.
  4. From the ImunifyAV screen, click the actions button next to your cPanel account, and click "Scan for Malware." When it is done, it will give you results.
  5. You can select all accounts and scan them simultaneously if you have multiple accounts.
    Install ClamAV

You can uninstall ImunifyAV via the command line.

root@server [~]# bash imav-deploy.sh --uninstall

If you have deleted the imav-deploy.sh, you can re-download it first:

root@server [~]# wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh


If files show up on any of the malware scans, please note that some of the files might be vital to the functionality of your site and only contain snippets of malicious code that have been injected. You will want to work to remove the malicious code without deleting the file. Other files might be wholly malicious and should be deleted.

If you need assistance with removing malware, we recommend reaching out to our malware scanning partner, SiteLock. SiteLock also has plans that include a content delivery network (CDN) and a web application firewall (WAF) that aid in protecting against malicious attacks.

Even with active firewalls, most of the vulnerabilities a hacker uses to access your site and file structure are within your website scripts and software. It is vital to make sure all software is updated, including themes, plugins, and modules. This is the most important way to help prevent malware and keep your account and server secure.


If you need further assistance, feel free to contact us via Chat or Phone:

  • Chat Support - While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
  • Phone Support -
    • US: 888-401-4678
    • International: +1 801-765-9400

You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.

Did you find this article helpful?

* Your feedback is too short