Will eComscan report all missing patches?

eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are currently exploited or are likely to be exploited within the next 12 months. There is no alerting for missing patches that only fix "theoretical flaws" (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. An example are patches that fix security bugs that only apply to already-logged-in Magento staff ("authenticated privilege escalation"). NB. We may add full patch reporting in the future.

I have set up monitoring via cron but only got 1 mail?

It is the intended behaviour of --monitor to only send a mail when something has changed. If you want to always get an email report, change --monitor into --report. 

I have set up monitoring via cron but I get mail every time?

Change --report into --monitor and you will only be notified whenever an new issue is found, or an old issue has been fixed.

How do I set up monitoring for multiple e-mail addresses?

You can set up eComscan to send it's reports to multiple e-mail addresses by adding the e-mails to a --report or --monitor flag, seperated by only a comma. Be sure to not add any spaces between the comma's:

ecomscan --monitor email1@store.com,email2@store.com,email3@store.com

How do I scan multiple folders / storefronts?

Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory).

I have patched a vulnerable extension, but it still flags red?

Our vulnerable module check uses version numbers, not code signatures. If you have manually patched a vulnerable module, you can add "-patch" to the version number (in Vendor/Module/etc/config.xml), so that eComscan will stop flagging it as vulnerable.


Can I use my eComscan license to scan staging/development servers?

Yes, you are allowed to use your license key on any store that shares the same primary domain name.

How does eComscan affect server load and resources?
eComscan will run at the lowest priority, so it will not affect the performance of your store. This is true for "scrutinize" mode (--deep) as well.

I always get this error: Could not download signature db. 

Something seems wrong with your network configuration. You are either behind a very restrictive firewall, or you have IPv6 lookups enabled for DNS but IPv6 routing fails. You should ask your network administrator / ISP.

I get: Query failed, perhaps this is a dev/test db server that I cannot reach

eComscan uses the password for the database from your store configuration. Sometimes, it finds store configuration that is used in local or development servers, and cannot connect to these servers. If you suspect something else is wrong, please re-run ecomscan with the --verbose option and share the results with us.

Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?

There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won't stop your car from crashing. In essence, they restrict the Javascript that can be run on your site. 


  • Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won't be able to take control of your site.


  • It can be costly to maintain. If your supplier's Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
  • If you don't use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
  • There are several techniques that circumvent CSP, so it will only catch 99% of malware.

All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.

I have found a malware that eComscan did not identify?

We are sorry to hear that eComscan did not identify this instance. While our scanning technology identifies about 99.5% of all ecommerce malware, we cannot guarantee 100% coverage because criminal groups are continuously evolving their practices. Our team runs forensic cases across the globe and we are usually able to produce a signature within hours of a new malware release. But on a (very) rare occasion, a new strain may slip through, especially if it is uses obfuscation which is also used by many legitimate vendors.

Please share the specific malware with us, and we are happy to help you (free of charge) with your case.