Skip to main content
Virus Scanner runs the open-source ClamAV scanner against a folder you pick. It catches files that match published malware signatures.
Virus Scanner with four scan-scope radio buttons

What it scans

Pick one of four scopes:
ScopePathWhat’s there
Scan Mail~/mail/Stored email and attachments.
Scan Entire Home Directory~/Everything in your account. Slowest, most thorough.
Scan Public FTP Space~/public_ftp/Anonymous FTP uploads (rarely used in 2026).
Scan Public Web Space~/public_html/Site files. The most useful scope for “is my site compromised?”
Click a scope and the scan runs in the foreground. Big folders take a few minutes. The page shows progress and lists hits at the end.

What it catches

ClamAV’s signature database is good at:
  • Known malware in PHP files (older WordPress shells, generic backdoors).
  • Common email-borne viruses.
  • Known infected binaries.
It’s less useful against:
  • Modern WordPress malware. Signatures lag behind real-world WP infection patterns. Today’s WP backdoors are often custom or obfuscated and slip past ClamAV.
  • JavaScript injection. ClamAV scans for binary signatures, not behavioral or pattern-based JS analysis.
  • Server-side compromises that don’t write malware to files. A backdoored cron, a database-injected script, or a runtime-only payload won’t show up.
If you have strong reason to believe your site is hacked (defacement, spam links, redirects, Search Console warnings), a clean scan here is not a clean bill of health.

What to do if the scanner finds something

1

Don't delete the file blindly

The hit might be a false positive, or removing one file might leave the rest of the infection in place. Note the path.
2

Take a JetBackup snapshot of the current state

Forensics first, cleanup second. See JetBackup.
3

Compare to a known-good copy

For WordPress core files, reinstall from the official zip. For plugins/themes, reinstall from the original source. Custom code: diff against the last clean backup.
4

Restore from a pre-infection backup

If you can identify when the infection happened, restoring is faster and safer than picking the malware out file by file. JetBackup retains 30 days of nightly snapshots; older incidents may not be recoverable.
5

Open a ticket if you're stuck

Mention what the scanner flagged and what you’ve tried. We can help with restores and account-level cleanup.

Common questions

Trust the symptoms, not the scan. ClamAV signatures don’t catch modern WP-targeted malware reliably. Compare core files against a fresh WordPress install, audit wp-content/uploads for any .php files (shouldn’t exist), check .htaccess for unfamiliar redirects, and check the database for injected admin users. If you’re not sure, restore from the most recent clean JetBackup snapshot.
~/ includes everything: mail, FTP, every site, every backup, every log. For most “is my site hacked?” questions, Scan Public Web Space is sufficient and much faster.
Sometimes. ClamAV occasionally flags legitimate files (especially packed JavaScript libraries) as malware. The signature name in the report tells you what it thinks the file is. Look the signature up; if it matches a known false positive class, ignore it. If it matches generic backdoor names, treat as real.
Not from this page. The cPanel UI runs scans interactively only. For scheduled scans, set up a cron job calling clamscan directly, e.g.:
clamscan -r --infected --remove=no /home/USER/public_html >> /home/USER/clamscan.log 2>&1
For serious malware monitoring, look into ImunifyAV or a dedicated WordPress security plugin; they’re better than scheduled ClamAV for modern threats.

Need a hand?