> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Virus Scanner

> Run ClamAV against your home, web, FTP, or mail. Useful for spot checks; not a substitute for a proper malware scanner on a compromised site.

Virus Scanner runs the open-source ClamAV scanner against a folder you pick. It catches files that match published malware signatures.

<Frame caption="cPanel home → Advanced → Virus Scanner">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/advanced/virus-scanner/page-light.png" alt="Virus Scanner with four scan-scope radio buttons" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/advanced/virus-scanner/page-dark.png" alt="Virus Scanner with four scan-scope radio buttons" className="hidden dark:block" />
</Frame>

## What it scans

Pick one of four scopes:

| Scope                          | Path             | What's there                                                    |
| ------------------------------ | ---------------- | --------------------------------------------------------------- |
| **Scan Mail**                  | `~/mail/`        | Stored email and attachments.                                   |
| **Scan Entire Home Directory** | `~/`             | Everything in your account. Slowest, most thorough.             |
| **Scan Public FTP Space**      | `~/public_ftp/`  | Anonymous FTP uploads (rarely used in 2026).                    |
| **Scan Public Web Space**      | `~/public_html/` | Site files. The most useful scope for "is my site compromised?" |

Click a scope and the scan runs in the foreground. Big folders take a few minutes. The page shows progress and lists hits at the end.

## What it catches

ClamAV's signature database is good at:

* Known malware in PHP files (older WordPress shells, generic backdoors).
* Common email-borne viruses.
* Known infected binaries.

It's less useful against:

* **Modern WordPress malware.** Signatures lag behind real-world WP infection patterns. Today's WP backdoors are often custom or obfuscated and slip past ClamAV.
* **JavaScript injection.** ClamAV scans for binary signatures, not behavioral or pattern-based JS analysis.
* **Server-side compromises that don't write malware to files.** A backdoored cron, a database-injected script, or a runtime-only payload won't show up.

If you have strong reason to believe your site is hacked (defacement, spam links, redirects, Search Console warnings), a clean scan here is **not** a clean bill of health.

## What to do if the scanner finds something

<Steps>
  <Step title="Don't delete the file blindly">
    The hit might be a false positive, or removing one file might leave the rest of the infection in place. Note the path.
  </Step>

  <Step title="Take a JetBackup snapshot of the current state">
    Forensics first, cleanup second. See [JetBackup](/web-hosting/cpanel/file-management/jetbackup).
  </Step>

  <Step title="Compare to a known-good copy">
    For WordPress core files, reinstall from the official zip. For plugins/themes, reinstall from the original source. Custom code: diff against the last clean backup.
  </Step>

  <Step title="Restore from a pre-infection backup">
    If you can identify when the infection happened, restoring is faster and safer than picking the malware out file by file. JetBackup retains 30 days of nightly snapshots; older incidents may not be recoverable.
  </Step>

  <Step title="Open a ticket if you're stuck">
    Mention what the scanner flagged and what you've tried. We can help with restores and account-level cleanup.
  </Step>
</Steps>

## Common questions

<AccordionGroup>
  <Accordion title="The scanner says clean, but my site is clearly hacked">
    Trust the symptoms, not the scan. ClamAV signatures don't catch modern WP-targeted malware reliably. Compare core files against a fresh WordPress install, audit `wp-content/uploads` for any `.php` files (shouldn't exist), check `.htaccess` for unfamiliar redirects, and check the database for injected admin users. If you're not sure, restore from the most recent clean JetBackup snapshot.
  </Accordion>

  <Accordion title="Scanning my home directory takes forever">
    `~/` includes everything: mail, FTP, every site, every backup, every log. For most "is my site hacked?" questions, **Scan Public Web Space** is sufficient and much faster.
  </Accordion>

  <Accordion title="The scanner found a hit; is it a false positive?">
    Sometimes. ClamAV occasionally flags legitimate files (especially packed JavaScript libraries) as malware. The signature name in the report tells you what it thinks the file is. Look the signature up; if it matches a known false positive class, ignore it. If it matches generic backdoor names, treat as real.
  </Accordion>

  <Accordion title="Can I run scans on a schedule?">
    Not from this page. The cPanel UI runs scans interactively only. For scheduled scans, set up a [cron job](/web-hosting/cpanel/advanced/cron-jobs) calling `clamscan` directly, e.g.:

    ```bash theme={}
    clamscan -r --infected --remove=no /home/USER/public_html >> /home/USER/clamscan.log 2>&1
    ```

    For serious malware monitoring, look into ImunifyAV or a dedicated WordPress security plugin; they're better than scheduled ClamAV for modern threats.
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>