Best Antivirus For cPanel (I've Cleaned Many Hacked Sites)

Look, if you’re managing a cPanel server, you’ve probably already had that mini heart attack when you see weird files popping up or get that email from your host about “suspicious activity detected.” Been there.

So here’s the deal: most people end up using either ImunifyAV (or its beefier cousin, Imunify360) or ClamAV. ClamAV is free and gets the job done for basic scanning. Imunify costs money but catches way more stuff and actually stops attacks before they happen.

I’ve been working with cPanel setups for a few years now, and honestly? The antivirus question comes up every single time someone gets hacked or has a malware scare. And it will happen eventually cPanel servers are everywhere, which makes them juicy targets.

What I want to do here is walk you through both options without the marketing fluff. I’ll tell you what actually works, what’s a pain to set up, and which one makes sense depending on whether you’re running a personal blog or managing client sites. Because the “best” antivirus really depends on what you’re protecting and how much time you want to spend babysitting it.

Does cPanel Already Have Antivirus Built In?

Before you go installing anything extra, you should know that cPanel actually does have a virus scanner built in. Most people never notice it’s there.

It’s tucked away in the dashboard, and it’s basically just ClamAV which is free, open-source, and… fine. You can point it at your mailboxes, home directory, public files, FTP uploads, whatever. Hit scan, wait a bit, see what it finds.

The problem? It only runs when you tell it to. There’s no background monitoring, no “hey we just blocked this sketchy upload” notifications. You have to remember to actually use it. And depending on your host, they might not even have it enabled in WHM, so you might be looking for a button that doesn’t exist.

I’ve used it for quick checks when something feels off, and it’s caught stuff before. But if you want something that’s actually watching your server 24/7 instead of waiting for you to remember to run a scan? That’s when you need to look at Imunify or something similar.

Top Antivirus / Malware Scanner Options for cPanel

Alright, so cPanel’s built-in scanner isn’t cutting it for you. Fair enough. Let’s talk about what people actually use when they need something more serious. I’m not going to list 10 options here because honestly? There are really only a handful that matter, and most admins I know stick to two or three. Here’s what you’ll actually see in the wild:

Imunify360 – The Heavy Hitter

This is the one you’ll hear about most if you ask in any hosting forum. Imunify360 isn’t just an antivirus it’s a full security suite. It watches your server in real time, blocks attacks as they happen, and has this proactive defense thing that catches zero-day exploits before they even have signatures.

The catch? It costs money. Licensing runs around $13-20/month per server depending on where you buy it and how many sites you’re protecting. Some hosts include it for free or at a discount, so check with yours first.

I’ve seen it catch PHP backdoors that ClamAV completely missed. The interface is actually pretty nice too you can see what it blocked, whitelist false positives, and it sends you alerts when something sketchy happens. If you’re managing client sites or running anything that handles payments or user data, this is probably where you should be looking.

ImunifyAV – Imunify’s Free Little Brother

Same company, stripped-down version. ImunifyAV is free and does malware scanning without all the firewall and intrusion detection stuff. It’s smarter than ClamAV better detection rates, cleaner interface but it’s still mostly a scanner, not a full security layer.

Good middle ground if you can’t justify paying for Imunify360 but want something better than ClamAV. It’ll catch more threats and you can set it to scan automatically, which is a huge upgrade from clicking “scan” manually every week.

cPGuard – The Underdog Worth Watching

This one doesn’t get talked about as much as Imunify, but I’ve been seeing it pop up more lately. cPGuard is basically another all-in-one security plugin for cPanel/WHM malware scanning, firewall, brute force protection, the works.

What’s interesting is the pricing. It’s cheaper than Imunify360 (starts around $2-3/month for single servers) and some people swear by it. The interface is decent, scans are pretty thorough, and it does real-time monitoring like Imunify does.

The downside? It’s less proven. Imunify has been around longer and has a bigger user base, so there’s more documentation, more community support, and frankly more trust. cPGuard works well from what I’ve tested, but if something goes wrong or you need support fast, you might be dealing with slower response times.

That said, if you’re on a tight budget and want more than just scanning, cPGuard is worth trying. Just maybe test it on a dev server first before rolling it out to production.

ClamAV – The Old Reliable (Sort Of)

We already talked about this one, but it deserves a spot here. It’s free, it’s open-source, it’s been around forever. Every host supports it because it costs them nothing.

The problem is it’s… dated. The detection rate isn’t great compared to commercial options, and it’s really only good for catching known, obvious malware. If someone drops a custom backdoor on your server, ClamAV probably isn’t finding it unless the signature database gets updated which can take a while.

That said, it’s better than nothing. If you’re running a small personal site and just want basic protection, ClamAV does the job. Just don’t expect miracles.

ConfigServer Security & Firewall (CSF) with Malware Detection

Okay, CSF isn’t technically an antivirus, but a lot of people use it alongside cPanel for added security. It’s a firewall that can also do some basic malware scanning through its integration with other tools.

I mention it because if you’re serious about server security, you’re probably running CSF anyway. It won’t replace a proper antivirus, but it layers nicely with the other options here. Also free, also widely used.

Linux Malware Detect (LMD)

Another free one that flies under the radar. LMD is designed specifically for detecting malware in shared hosting environments which is exactly what most cPanel setups are. It focuses on finding threats in the kinds of places they actually hide: temp directories, uploads folders, that sort of thing.

It’s not as user-friendly as Imunify stuff, and you’ll probably need command-line access to get the most out of it. But some hosts integrate it into WHM, and when paired with ClamAV, it improves detection rates quite a bit.

So which one should you actually use?

Honestly? If you can afford it and you’re managing anything beyond a hobby blog: Imunify360. It’s just better, and the time you save not dealing with malware cleanup pays for itself pretty quick.

If budget’s tight but you still want full protection: cPGuard is worth a shot just know you’re trading some peace of mind for cost savings.
If you just need better scanning: ImunifyAV is a solid free alternative that’s still way better than stock ClamAV.
If you’re broke or just running a tiny personal site: Stick with ClamAV and maybe add LMD for a bit of extra coverage.

Next, let’s actually compare these side-by-side so you can see what you’re getting (or giving up) with each one.

Side-by-Side Compare: What You’re Actually Getting

Okay, specs and features are one thing, but let’s put these next to each other so you can actually see the trade-offs. I’m going to skip the marketing fluff and focus on what matters day-to-day.

Real-Time Protection

Imunify360: Yes, and it’s aggressive. Blocks stuff before it even hits your files.
cPGuard: Yes, real-time scanning and blocking.
ImunifyAV: Nope. It scans on schedule or when you tell it to.
ClamAV: Nope. Manual only unless you set up cron jobs yourself.
LMD: Nope. Scheduled scans at best.

If you need “set it and forget it” protection, you’re looking at Imunify360 or cPGuard. Everything else requires you to actually remember to scan.

Detection Quality

This is where it gets messy because nobody publishes hard numbers, but from what I’ve seen:

Imunify360: Best in class. Catches newer PHP malware, obfuscated backdoors, stuff that other scanners miss. Their threat database is constantly updated.
cPGuard: Pretty good. Not quite Imunify level, but way better than ClamAV. Catches most common threats without issue.
ImunifyAV: Same detection engine as Imunify360, just without the real-time part. So yeah, it’s solid.
ClamAV: Honestly? Mediocre. Great for old, well-known viruses and email attachments. Not great for modern web malware or zero-days.
LMD: Decent for Linux-specific threats. Better when paired with ClamAV.

Interface / Ease of Use

Imunify360: Really clean WHM/cPanel plugin. Easy to navigate, good reporting, lets you whitelist stuff without touching config files.
cPGuard: Pretty straightforward. Not as polished as Imunify but gets the job done. Some features feel a bit buried in menus.
ImunifyAV: Same nice interface as Imunify360, just fewer features to click through.
ClamAV: Basic cPanel interface. You click “scan,” you wait, you get a list. That’s about it.
LMD: Command line mostly, unless your host built something custom. Not beginner-friendly.

If you’re not comfortable in SSH, stick with Imunify or cPGuard.

Performance Impact

Nobody talks about this enough, but some scanners will absolutely hammer your server during scans.

Imunify360: Optimized pretty well. Real-time scanning adds some overhead, but I haven’t seen it kill servers. Scans are resource-aware.
cPGuard: Light to moderate impact. Scans can slow things down a bit on smaller VPS setups.
ImunifyAV: Minimal impact since it’s only scanning, not monitoring 24/7.
ClamAV: Can be brutal on large scans. I’ve seen it spike CPU to 100% on shared hosting. Run it during off-hours if you can.
LMD: Pretty lightweight, designed for shared environments.

Cost Breakdown

Let’s talk money because that’s probably a big factor here.

Imunify360: ~$13-20/month per server (varies by provider). Some hosts bundle it, so check first.
cPGuard: ~$2-3/month for single server license. Way cheaper, scales up from there.
ImunifyAV: Free. Seriously, just free.
ClamAV: Free and open source.
LMD: Free and open source.
CSF: Free.

Support & Documentation

When stuff breaks at 2am, this matters more than you think.

Imunify360: Solid support, tons of documentation, active forums. You’ll find answers.
cPGuard: Smaller team, support can be slower. Documentation is decent but not exhaustive.
ImunifyAV: Same support channels as Imunify360 since it’s the same company.
ClamAV: Community support only. You’re Googling and hoping someone had your problem before.
LMD: GitHub issues and community forums. Good luck.

False Positives

Every scanner flags legitimate files sometimes. How they handle it matters.

Imunify360: Does happen, but easy to whitelist. The AI learning thing helps reduce them over time.
cPGuard: Occasional false positives. Whitelisting is straightforward.
ImunifyAV: Same as Imunify360 decent accuracy, easy fixes.
ClamAV: Doesn’t flag much in general (because it misses a lot), but when it does, you’re editing config files.
LMD: Can be trigger-happy with certain WordPress plugins. Expect some false positives.

My Honest Summary

If I’m setting up a production server for clients or any site that makes money: Imunify360 every time. Yeah it costs more, but dealing with one malware infection costs way more in time and stress.

If I’m bootstrapping and need to save cash but still want decent protection: cPGuard. It’s not perfect, but at $2-3/month it’s hard to argue with.

If I just need basic scanning and I’m comfortable with manual work: ImunifyAV + LMD combo. Free, better than ClamAV alone, good enough for most small sites.

If I’m running a personal blog and honestly can’t afford anything: ClamAV and cross my fingers. Set up a weekly cron job and maybe add LMD if I’m feeling ambitious.

Next up, let’s talk about actually installing and configuring whichever one you picked because some of these are way easier to set up than others.

How to Actually Install Antivirus on cPanel (Easier Than You Think)

Alright, you’ve picked your tool. Now comes the fun part getting it running. And I’m going to be honest with you: some of these are stupid easy, and some will make you question your life choices.

Installing Imunify360 or ImunifyAV

This is probably the smoothest install you’ll do. Imunify makes it pretty painless.

If you’re the server admin:

SSH into your server and run their install script. Seriously, it’s like three commands:

wget https://repo.imunify360.cloudlinux.com/defence360/imunify-deploy.sh
bash imunify-deploy.sh --key YOUR_LICENSE_KEY

Replace YOUR_LICENSE_KEY with your actual key (you get this when you buy it, or from your host if they’re providing it). For ImunifyAV, the process is basically identical just get the free key from their website first.

The script does everything: installs dependencies, sets up the scanning engine, integrates with cPanel/WHM. Takes maybe 5-10 minutes depending on your server. Then you just log into WHM, and boom there’s an Imunify section in your sidebar.

If you’re on shared hosting:

You’re probably out of luck installing it yourself. This needs root access. But check with your host a lot of them either have it already installed or will add it for you (sometimes for an extra fee). Some hosts like A2 or LiquidWeb include it by default on certain plans.

Common hiccup: If you’re running CloudLinux, the install goes even smoother because Imunify was built for it. If you’re on standard CentOS or AlmaLinux, it still works fine, just make sure your kernel is up to date first or you might get weird errors.

Installing cPGuard

cPGuard is also pretty straightforward, though slightly more manual than Imunify.

You need to be root, then:

wget https://downloads.cpguard.com/install.sh
sh install.sh

It’ll walk you through activation (you need your license key ready). The installer asks a few questions mostly just “yes, install this” type stuff. Maybe 10-15 minutes total.

Once it’s done, you’ll see cPGuard in your WHM under Plugins. The cPanel integration should show up automatically for your users too.

Heads up: I’ve had cPGuard conflict with CSF once or twice. If you’re running both, you might need to tweak some firewall rules so they’re not stepping on each other. Their support docs have a guide for this, but it’s annoying.

Installing ClamAV

If your host hasn’t already installed this, you can usually do it through WHM.

Go to WHM → cPanel → Manage Plugins and enable the ClamAV Scanner plugin. That’s… kind of it? cPanel handles the rest.

If it’s not showing up as an option, your host might need to install the actual ClamAV package on the server first:

yum install clamav clamav-update  # CentOS/AlmaLinux
apt-get install clamav clamav-daemon  # Ubuntu/Debian

Then run freshclam to update the virus definitions. This takes forever the first time because it’s downloading the entire signature database.

After that, the scanner should appear in cPanel under Advanced or Security, depending on your theme.

Pro tip: Set up a cron job to run freshclam daily. ClamAV is borderline useless if the definitions are outdated, and by default it doesn’t auto-update aggressively enough.

Installing Linux Malware Detect (LMD)

This one’s all command line. If that scares you, maybe skip it.

SSH in as root:

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
./install.sh

That installs it. Now you need to configure it, which means editing /usr/local/maldetect/conf.maldet. The defaults are okay, but you’ll probably want to:

Set email_alert="1" so it actually tells you when it finds stuff
Add your email address to email_addr
Maybe enable quarantine_hits="1" so infected files get moved instead of just flagged

Then set it to scan daily:

ln -s /usr/local/maldetect/cron/daily /etc/cron.daily/maldet

Real talk: LMD is powerful but clunky. If you’re not comfortable editing config files and reading logs in /usr/local/maldetect/logs/, this might not be for you. It’s definitely not “set and forget” like Imunify is.

Installing CSF (ConfigServer Security & Firewall)

Not strictly an antivirus, but since I mentioned it earlier and people ask about it:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Then test that it works:

perl /usr/local/csf/bin/csftest.pl

If that passes, you’re good. Head to WHM → Plugins → ConfigServer Security & Firewall to configure it through the GUI.

Warning: CSF replaces your existing firewall. If you have rules set up in iptables or firewalld, back them up first because CSF will overwrite them. I learned this the hard way and locked myself out of a server once. Not fun.

Now Configure It (The Part People Skip and Regret Later)

Okay, it’s installed. Don’t just leave it sitting there actually set it up properly.

Imunify360/ImunifyAV:

Log into WHM, find the Imunify section
Kick off your first full scan (grab lunch, this takes a while)
Review what it found. Almost guaranteed there are a few false positives whitelist those
Turn on email notifications so you actually know when it blocks something
If you’re on Imunify360, check the firewall rules. Defaults are solid, but you might need to whitelist your own IP or certain services you use

cPGuard:

Open cPGuard in WHM
Add your notification email
Run a manual scan first see what you’re dealing with
Enable auto-scanning (daily is good, weekly if your server’s underpowered)
Double-check firewall settings aren’t blocking legit stuff

ClamAV:

Just run a scan from cPanel to make sure it works. There’s really not much to tweak in the GUI. Want more control? You’re editing /etc/clamd.conf, but honestly most people don’t need to.

LMD:

Run your first scan manually:

maldet -a /home

This scans all home directories. On a big server, go do something else it’s slow. Check the report in /usr/local/maldetect/logs/ when it’s done.

To quarantine flagged files:

maldet -q /path/to/suspicious/file

But seriously, review before you start nuking files. LMD flags legit stuff sometimes.

Test It Before You Trust It

Here’s what nobody does and everyone should: actually test that your scanner works.

Upload the EICAR test file. It’s a harmless fake virus that every scanner should catch. Create a file called eicar.txt and put this in it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Upload it somewhere on your server. Your scanner should either catch it immediately (real-time protection) or on the next scan.

If it doesn’t? Something’s broken or misconfigured.

I can’t tell you how many times I’ve seen people think their antivirus is running when it’s actually just… sitting there doing nothing. Five minutes with the EICAR file saves you from finding out the hard way six months later when you actually get infected.

Here’s the next section on handling malware when it’s detected:

When Your Scanner Actually Finds Something (Don’t Panic)

Alright, so your scanner just lit up like a Christmas tree and flagged a bunch of files. Now what?

First: breathe. Finding malware sucks, but it’s not the end of the world. I’ve cleaned hundreds of infected sites at this point, and most of them are back up and running within a few hours. The key is not freaking out and randomly deleting stuff.

Step 1: Figure Out What You’re Actually Looking At

Not all “threats” are equal. Scanners flag three main types of stuff:

Actual malware – backdoors, shell uploaders, mass mailers, that kind of thing. These need to go immediately.

Suspicious code – might be malicious, might be a poorly coded plugin. Needs investigation.

False positives – completely legitimate files that the scanner got wrong. More common than you’d think.

When you’re looking at scan results, check:

What file was flagged (full path matters)
What threat name the scanner assigned
When the file was created or modified

If you see stuff like /public_html/wp-content/uploads/definitely-not-a-shell.php created yesterday when you didn’t upload anything? Yeah, that’s probably real. If it’s flagging core WordPress files or a popular plugin you just updated? Might be a false positive.

Step 2: Quarantine Before You Delete

Here’s where people screw up: they see “malware detected” and immediately delete everything the scanner flagged. Then they realize they just nuked a legitimate plugin or their entire shopping cart.

Most scanners have a quarantine feature. Use it.

In Imunify360/ImunifyAV: Click the file, hit “Move to quarantine.” It gets moved to a safe location where it can’t execute but you can restore it if needed.

In cPGuard: Same deal – quarantine option right in the interface.

In ClamAV: Uh… you’re kind of on your own here. ClamAV just tells you what’s infected, it doesn’t do much management. Best bet is to manually move the file somewhere safe:

mkdir /root/quarantine
mv /path/to/infected/file /root/quarantine/

With LMD: It has a quarantine function if you enabled it in config:

maldet -q SCAN_ID

This quarantines everything from that scan. Or target specific files if you want.

The point is: always quarantine first, observe your site, then delete if everything’s fine. I’ve seen too many people take down their own sites by deleting stuff that turned out to be needed.

Step 3: Check If Your Site Is Actually Working

After you quarantine the flagged files, test your site. Like actually click around and test it.

Does the homepage load?
Can you log into the admin panel?
Are forms submitting?
Is checkout working if you’re running a store?
Any weird errors in the browser console?

If something breaks, you probably quarantined a false positive. Go restore it and whitelist it in your scanner.

If everything works fine? Cool, the file probably was malicious. You can delete it from quarantine later.

Step 4: Investigate How It Got There

Okay so you found malware. Removing it is one thing, but if you don’t figure out how it got there, you’re just going to get reinfected next week.

Common entry points I see all the time:

Outdated plugins or themes – Seriously, like 80% of WordPress infections come from people running ancient versions of stuff with known vulnerabilities. Check your installed plugins and themes against the scan dates. If you see malware and WordPress hasn’t been updated in a year, that’s probably your problem.

Weak passwords – If your FTP password is “password123” or your admin account is still “admin/admin,” congrats, you made it stupid easy for someone. Change them. All of them.

Nulled or pirated themes/plugins – Yeah, that “premium theme” you got for free from some sketchy site? It came with a backdoor. I see this constantly. If you installed something you didn’t pay for, that’s your infection source.

File upload vulnerabilities – Some poorly coded contact forms or file upload features let people upload PHP files disguised as images. Check your uploads directory for weird .php files.

Compromised FTP/SSH credentials – If your login credentials leaked somewhere (old data breach, keylogger, whatever), attackers use them to upload malware directly. Change your passwords and maybe enable two-factor if your host supports it.

Look at the file timestamps. If you see a bunch of files all created at 3am on the same day, that’s when the breach happened. Check your server logs from that time period you might see the attack in your access logs.

Step 5: Clean Up Properly

Just deleting the obvious malware files isn’t always enough. Here’s the full cleanup checklist:

Check your cron jobs:

crontab -l

Attackers love hiding cron jobs that re-download their malware every hour. If you see anything you didn’t create, delete it.

Check your .htaccess files:

Look for weird redirects or RewriteRules you didn’t add. Malware often modifies .htaccess to redirect traffic or hide itself.

Scan your database:

If you’re running WordPress, malware sometimes injects code into the database usually in the wp_options or wp_posts tables. Look for:

Suspicious JavaScript in theme options
Weird values in the siteurl or home fields
Hidden admin users you didn’t create

Use a plugin like WP-CLI or just search directly in phpMyAdmin for common malware strings like “eval(” or “base64_decode”.

Check user accounts:

cat /etc/passwd

Make sure there aren’t any user accounts you don’t recognize. Attackers sometimes create backdoor accounts.

Review file permissions:

Nobody needs 777 permissions on PHP files. Ever. If you see that, fix it:

find /home/username/public_html -type f -perm 0777 -exec chmod 644 {} \;

Step 6: Reset Everything Sensitive

Once you’ve cleaned the malware, assume anything that was on the server is compromised:

Change all passwords (cPanel, FTP, SSH, database, WordPress admin, email accounts everything)
Regenerate any API keys or tokens
If you had SSH keys, rotate them
Force all users to reset their passwords if it’s a multi-user site

Yeah it’s a pain. But if someone had access to your server, they might have grabbed password hashes or session tokens. Better safe than hacked again next week.

What If You’re Completely Overwhelmed?

Look, if you’re staring at 500 infected files and have no idea where to start, it might be time to call in help. Most hosts offer malware cleanup services (usually $50-150 depending on severity). Companies like Sucuri specialize in this if your host doesn’t.

Or, if you have good backups from before the infection: nuke everything and restore. Seriously. Sometimes it’s faster and safer to just wipe and restore than to try cleaning a heavily infected site.

Just make sure your backup is actually from before the infection. I’ve seen people restore a backup that already had malware in it because they didn’t realize they’d been infected for months.

After Cleanup: Stay Clean

You removed the malware. Great. Now keep it gone:

Update everything – If you’re on WordPress, Joomla, whatever keep it updated. Plugins, themes, core files, all of it. Set up auto-updates if you can.

Harden your setup – Disable file editing from the WordPress admin, change your database prefix, move wp-config.php up a directory, all that security hardening stuff you’ve been meaning to do.

Actually use your antivirus – Don’t just install it and forget it exists. Check the scan reports. Set up email alerts. Pay attention when it flags stuff.

Keep backups – Off-server, automated, frequent. If everything goes to hell, you want a clean version to restore from. I use a combination of server-level backups and something like UpdraftPlus for WordPress sites.

Monitor your site – Use uptime monitoring (UptimeRobot is free), check your traffic for weird spikes, keep an eye on server resource usage. Often you’ll notice something’s wrong before your antivirus catches it.

Alright, that’s the malware response plan. Not fun, but now you know what to do instead of panicking and making it worse.