Search our site for answers
Help Docs Security Overview Firewall Management Malware Scanning with ConfigServer eXploit Scanner (CXS) ConfigServer eXploit Scanner (CXS): your website’s security watchdog

ConfigServer eXploit Scanner (CXS): your website’s security watchdog

CXS is your server's watchdog, scanning for malware, quarantining threats, and monitoring files in real-time to keep your website secure.
Security
5 min read

Keeping your website secure from malicious code and exploits is a top priority. ConfigServer eXploit Scanner (CXS) is a powerful security tool designed to help protect your server and websites by actively scanning for and quarantining suspicious files and known malware.

What does CXS do?

CXS acts as a proactive security scanner for your server. Its primary functions include:

  • Scanning and Reporting: CXS continuously scans your server for any suspicious-looking code or known malware-related material.
  • Malware Detection (Not Cleanup): It identifies and reports on suspicious files. It’s important to note that CXS does not clean malware itself; it focuses on detection and quarantine.
  • Real-time Monitoring (CXSWatch): When configured with CXSWatch, CXS monitors all files within your website’s document roots. Any file that is uploaded or changed (via FTP, PHP, file manager, etc.) is immediately scanned.
    • Alerts: Suspicious files trigger an email notification to a configured email address.
    • Quarantine: Files that match known malware signatures are automatically moved to a secure quarantine area, preventing them from causing harm. The user is also notified via email.
  • HTTP POST Upload Scanning (cxscgi.sh): CXS includes a ModSecurity hook called cxscgi.sh that specifically scans files uploaded via HTTP POST requests (e.g., through website forms).
How to access and manage CXS

For Liquid Web customers with our Server Secure+ package, CXS is included and pre-configured by our team. If you’ve purchased CXS separately, support for its configuration and troubleshooting is generally outside our standard scope.

Management via WHM (Web Host Manager)

Once installed, you can manage CXS through your WHM interface:

  1. Log into WHM.
  2. Navigate to the “ConfigServer eXploit scanner” section.
  • View Quarantine: Within the “ConfigServer eXploit scanner” interface, look for the “cXs Control” button to view and manage quarantined files.

Common CXS configuration & troubleshooting

While our team handles most CXS configurations for Server Secure+ customers, here are some common areas you might encounter:

Changing destination email address for reports

CXS sends reports to a configured email address. You might need to check or change this address:

  • For CXSWatch Reports:

    Edit the cxswatch.sh file: /etc/cxs/cxswatch.sh Look for a line similar to:
/usr/sbin/cxs --options -wW --Wstart --allusers --www --smtp --mail customer@email.com

Replace customer@email.com with the desired email address. You can also send to multiple addresses by separating them with commas (e.g., --mail email1@dot.com,email2@dot.com). You may also need to check or change the mail= setting in /etc/cxs/cxswatch.conf.

Important: After changing the email address, remember to restart CXSWatch:

systemctl restart cxswatch
  • For CXS ModSecurity Hook (cxscgi.sh) Uploads:

    Edit the --mail setting directly in /etc/cxs/cxscgi.sh.
Ignoring files, web scripts, and IPs

Sometimes, you might need to tell CXS to ignore specific files, directories, or even IP addresses to prevent false positives or unnecessary scanning. This is managed in the /etc/cxs/cxs.ignore file (which you might need to create if it doesn’t exist).

The documentation at /etc/cxs/cxs.ignore.example provides full details, but here’s a summary of common syntax:

  • user: <username> – Ignores a specific user.
  • file: /path/to/file – Ignores a specific file.
  • dir: /path/to/directory – Ignores a specific directory.
  • sym: /path/to/symlink – Ignores a specific symlink.
  • script: /path/to/web/script – Ignores a specific web script (for ModSecurity hook).
  • ip: <IP_address> – Ignores uploads from a specific IP address (only applies to web and FTP script uploads).

You can also use regular expressions for more flexible ignoring:

  • puser: <regex_pattern> – Regex for users to ignore.
  • pfile: <regex_pattern> – Regex for files to ignore.
  • pdir: <regex_pattern> – Regex for directories to ignore.
  • psym: <regex_pattern> – Regex for symlinks to ignore.
  • pscript: <regex_pattern> – Regex for web scripts to ignore.
Manual scan via command line

If you need to manually run a CXS scan from the command line (e.g., in a screen session), remember to direct the output to a log file, otherwise, it will just print to your screen:

/usr/sbin/cxs --logfile /var/log/cxs.log [other_options_here]
Installation (for reference)

For those who need to know the installation steps (typically performed by support or for standalone licenses):

  1. Ensure the server is licensed (either via Server Secure+ or a direct purchase from ConfigServer Services).
  2. Run the following commands:
cd /usr/local/src
wget https://download.configserver.com/cxsinstaller.tgz
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl
rm -fv cxsinstaller.*
Configuration files

Key CXS configuration files include:

  • Main Configuration: /etc/cxs/cxs.defaults
  • CXSWatch Script: /etc/cxs/cxswatch.sh
  • CXSWatch Configuration: /etc/cxs/cxswatch.conf

Conclusion

CXS is a valuable tool for enhancing your server’s security by providing robust scanning, detection, and quarantine capabilities for suspicious files and malware. While it doesn’t clean malware itself, its ability to quickly identify and isolate threats is crucial for protecting your websites. For Liquid Web Server Secure+ customers, our Heroic Support® team manages CXS to ensure your server remains protected. If you have any questions or need assistance, please don’t hesitate to reach out.

Was this article helpful?