Question: VirusDie is back as a Lifetime Deal! is it worth it? Is it useful/needed on the GridPane Stack?

Question

This question comes from Facebook. I’ve decided to write out full blog posts responses to questions from Facebook. I’ve hidden the person’s identity in this case.

That’s a hard question. I’m a truth seeker, I like to know how something works, a root cause analysis person. So grab a coffee and prepare to spend a couple of minutes reading this comment 😉

PS. I haven’t used or owned VirusDie 🙂

Pitch Ground Lifetime Deal Screenshot

I’ve taken a full-page screenshot of the lifetime deal from pitchground.com

Is it worth buying the VirusDie Lifetime Deal?

You can see the lifetime deal at https://pitchground.com/products/virusdie or via the screenshot above.

That’s a tough question. I don’t know your finances or your business requirements. The key offerings are as follows.

• Automated Website Malware & Vulnerability Detection, Plus Scheduling Scanning
• Highest Detection Rate and No False Positives
• One-Click Automatic Malware Removal (even for the already infected sites)
• Vulnerability Detection & Automatic Patch Management
• Email Alerts & Blacklist Monitoring
• External URLs Scanning
• Complete Malware, Vulnerabilities Description, & Recommendations
• Infected Code Highlighting and Built-in File Editor
• Undetected Malware Manual Investigation At No Additional Cost
• Plus: Removal of Any Site From Your Service Panel So You Can Add Other Sites To Maintain

VirusDie is touted as a “malware” or “antivirus” for your WordPress site (they support other PHP software).

Malware Scanning, Detection and Cleaning

The core of their service is Malware scanning, detection, and cleaning. I would even go on to say the primary focus of the product. VirusDie achieves this by downloading your entire site’s code onto their servers and scanning it for known malicious code. You can then choose to clean the infected files and remove the malware. It can scan many different file types, including javascript, image, and binary files.

“Scan sites and remove infected files, Trojans, backdoors, shell scripts, and other malicious code from PHP, JS, HTML, images, system files, and even binary files.”

They also have a Website Firewall, also known as a WAF (Web Application Firewall) that protects your site from known attacks.

You can deploy Virusdie Website Firewall (a web application firewall) automatically in less than one second to protect sites from the most common attacks. It guards against hacking, malware, harmful requests, and content grabbing, XSS attacks, SQL injections, malicious code uploads, suspicious activities, and blacklists. Installation is automatic and takes just a second.

Similar to WordFence and Sucuri, the firewall or WAF will work to detect known malicious attacks and block them. They also provide “Vulnerability patch management” which will patch any plugins you have that are vulnerable. Why would you have vulnerable plugins? Some plugin authors don’t act right away to patch plugins, or they disappear. You might also find a site that is running a super old version of a plugin that is still needed for whatever reason. You technically could continue to run the plugin with the vulnerability patch management in place protecting the site from being attacked or compromised.

Blacklist Monitoring and URL Scanning

They’ve thrown in blacklist monitoring, and URL scanning. Consider these freebies and not a core feature per se. You can find lots of products online that will scan publicly and private black lists.

The external URL Scanning however is a decent feature to have. As a site owner, you might not even know that your site is infected, and some of your visitors might not either. Malware can insert content into your site that is only seen by Google’s search bot or by specific visitors. The URL Scanning will look at the entire site’s code as if it was a visitor.

However, I don’t know if they also try and spoof the Google search bot user-agent.

File Editor and File Backups

You’ll get access to a file editor and backups of all files for your sites.

You can restore cleaned or deleted files using the switcher (Current file / Backup) in the built-in File editor by clicking it from the malware removal report. You can restore cleaned or deleted files over the last 30 days. Neutralized copies of infected files to be restored are stored in the repository on your server.

I’m interested in the “Neutralized copies of infected files to be restored are stored in the repository on your server.” claim. Does that mean backups are stored on your hosting account? Definitely want to confirm this with VirusDie. If you’re reading this and a user of VirusDie and know the answer, please comment on this post!

Would I use it? Should you use it?

I might bite on the lifetime deal. Why? It’s a good clean-up tool. Instead of manually cleaning up sites, I can now offload this to VirusDie. I would most likely place this on a couple of sites that are higher traffic or have sensitive data. Such as WooCommerce stores, or sites that can’t update specific plugins. I’d like to see more of the WAF in-action, and some real-world results. Specifically how good it is at detecting attacks.

Do you need VirusDie on the GridPane Stack?

It all depends on your skill set and how you’ve configured your GridPane sites 🙂

GridPane’s Malware Scanning

GridPane does offer Maldet scanning for infected files. You can read more about Maldet on their website at https://www.rfxn.com/projects/linux-malware-detect/

The last entry in their changelog is “v1.6.4 | Mar 18, 2019:” so I’d consider this a dead project. Unless they’re maintaining it on Github or someone has forked it and started updating it regularly. Maldet is still useful, but just be mindful it’s not being updated.

EDIT: Check out this article to know more about Maldet. What is Maldet? Also, know as LMD or Linux Malware Detector

There are still some very useful security features that GridPane offers that might not be possible with VirusDie.

GridPane’s XML RPC + fail2ban

I personally use the XML RPC blocking and fail2ban because it’s best handled at the server level as this is the most performant. Having these operate at the PHP level is just inefficient and most likely will spike resources, not by a huge factor but it does add up if you have 15 sites on a single server.

Although fail2ban is a log processor so delays can occur in high traffic, that’s beside the point. It would be awesome if GridPane started their own list of offenders that could be used with fail2ban. Much like a central blacklist.

As for the 7/6G firewall, I don’t use it personally. But that doesn’t mean it’s not effective, it’s a great simple firewall to block common attacks. You can end up with false positives, which requires time to put in a rule to whitelist the blocked traffic. This isn’t always easy for some, you will need to under the necessary syntax and regex. But GridPane does have some documentation to help you with understanding how to use the 7/6G firewall at https://gridpane.com/kb/using-the-7g-web-application-firewall/

Based on my quick research, essentially a couple of minutes of Googling. VirusDie doesn’t block XMLRPC requests or multiple failed logins.

GridPanes ModSec / Modsecurity

Modsec is short for ModSecurity stems from the mod_sec apache module. Here’s a quick quote from Wikipedia.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS, and Nginx. It is free software released under the Apache License 2.0.

https://en.wikipedia.org/wiki/ModSecurity

You can use Modsec with GridPane and they’re currently using the OWASP core ruleset. You can find out more information on GridPane’s knowledgebase article. https://gridpane.com/kb/using-the-gridpane-modsec-web-application-firewall/

Overall you’ll see better rulesets and functions within the ModSec engine versus 7/6G. But there’s some overhead for each request. That’s kinda the name of the game, if you want to do something cool it might cost you something.

PS. Litespeed now has a more performant ModSec engine as per https://blog.litespeedtech.com/2021/03/29/litespeed-web-server-v6-0/ which will be interesting to see how that fairs. Don’t think it will come to Openlitespeed, which GridPane currently has in Beta.

Malware Clean-up History and Comparison

I worked at a medium-sized hosting company in 2006. They had over 200 shared servers, 10,000 dedicated servers all over the US. I worked in the abuse department and was really the only security person around. I had assistance from others when it dealt with customer issues. We had developed a pretty good way to figure out how a site was hacked and clean it up. The majority of the time there was no protection, no WAFs or malware scanners. You’d search for specific code and find out when files were modified and search for POST actions in the weblogs.

Fast forward to today. You can be extremely successful using the same methods when a site is hacked. But that takes time and expertise that not everyone has.

VirusDie is trying to fill this gap by offering its scan engine, file backup, automated clean-up, web firewall, and patch management. All in all a great solution to keep your sites protected.

When comparing VirusDie to Wordfence, Wordfence doesn’t offer automated clean-up. They have a clean-up service per site for $490 which includes a 1-year license for their premium plugin. You do get a full report on how the site was hacked, an in-depth report of the infection removal and investigation. They will also remove your site from 20 popular blacklists and provide a checklist on how to protect your site in the future.

There are other companies out there that will clean up your site similar to Wordfence. You could also compare VirusDie to Sucuri another popular security plugin with premium features and services.

What’s VirusDie Missing?

There are some things that VirusDie could provide that other plugins have out of the box. For instance, Wordfence does provide the following which VirusDie doesn’t.

• Warn about plugins that are out of date, not listed in wordpress.org or currently have a vulnerability.
• Provides 2FA for all WordPress users.
• Country Blocking
• Leaked password protection.
• Brute Force Protection
• Rate Limiting
• Email Notifications and Reports.

Ultimately VirusDie isn’t really a security plugin, more of a malware scanning and clean-up tool.

Conclusion, VirusDie + GridPane?

Personally. I wouldn’t use VirusDie on GridPane. I would however use it in instances where I encounter a hacked site or as an upsell for clients that want to have the extra protection of something scanning files on their sites for malware if something got past Wordfence, an admin account was leaked, or FTP/SSH access was leaked.

Edits

• 07/13/2021 – Added more information about Maldet and link to separate article.
• 08/18/2022 – Thomas from wewatchyourwebsite.com helped clean up some grammar as well as provided his opinion on virusdue.