ConfigServer eXploit Scanner (cxs) is a tool from configserver that performs active scanning of files as they are uploaded to the server.

First you need to download and install cxs from the official site :

Step 1

cd /usr/src
rm -f cxs*
tar -xzf cxsinstaller.tgz
chattr -i -R /usr/local/cwpsrv/htdocs/admin/
perl ipv4
rm -fv cxsinstaller.*

replace "ipv4" with the licensed server IP.

Step 2

After installing go to CWP.admin > Configserver Scripts >> ConfigServer Exploit Scanner and go through onscreen instruction, we recommend to use default settings.

That's it you're done.

Troubleshoot if the CXS GUI asking for clamd scanner socket run the below command and restart cxswatch service :

Add clamd socket to cxs config for the scanner :

sed -i '$ a clamdsock=/var/run/clamd.amavisd/clamd.sock' /etc/cxs/cxs.defaults

Restart CXS service :

service cxswatch restart

- Malware upload over FTP/SFTP
- Malware upload using CWP User Panel
- Malware upload using any PHP version CWP has including PHP-FPM and CGI
* Upload will fail if CXS detects that file contains the malware.