Free cookie consent management tool by TermsFeedAktualizacja preferencji plików cookie
Nowa wersja Kowal Security Scan z AI już dostępna — zobacz moduł
Kowal Review Suite — automatyzuj opinie klientów w Magento 2 z pomocą AI
Currency
EUR - Euro
Toggle Nav
Search
My Cart
Main product photo

Magento 2 Module – Security and Malware Detection Scanner

Be the first to review this product
€30.75 €25.00
COMPOSER Installation
M2-SECURITY-SCAN
Do you have any questions?
Call or email us: WhatsAppWhatsApp Phone+48608012047
Add to Wish List Add to Compare
Enquire about this product
Email
Requires changes to the template
No
Minor changes
Significant changes
Requires programming knowledge
No
Basic
Advanced
Difficulty in configuration
Impact on performance
Compliance with Magento standards
  • Polnisch Polnisch
  • English English
  • 2.4.9
  • 2.4.8
  • 2.4.7
  • 2.4.6
  • 2.4.5
  • 2.4.4
  • 2.4.3
  • 2.4.2
  • 2.4.1
  • 2.4.0
  • 2.3.7
  • 2.3.6
  • 2.3.5
  • 2.3.4

Kowal Security Scan is an advanced security module for Magento 2 that helps detect suspicious file changes, malicious code, dangerous URLs, and injections in database content faster. It was designed to run lightly, without additional agents and without complex deployment.

Key module features

  • File change scan - detects new, modified, and deleted files within the Magento application.
  • Heuristic malware scan - analyzes php, phtml, js, html, svg, htaccess files and other payload carriers.
  • PHP token analysis - detects decode -> execute chains, dynamic callbacks, variable function calls, and suspicious include/require usage.
  • Database scan - checks selected Magento tables for malicious HTML, JavaScript, SVG, data: URI, and dangerous links.
  • Google Safe Browsing integration - evaluates the reputation of URLs found in store content.
  • Optional OpenAI analysis - extends the report with risk assessment and recommended actions.
  • Advanced allowlists - help reduce false positives at the domain, file, content, and specific rule levels.
  • Reports with ready-to-use configuration - the module suggests allowlist candidates and generates normalized JSON export ready to use.

What makes this module stand out?

  • Stable rule identifiers - file and database rules have their own rule_id, so allowlist configuration does not depend on the full text description.
  • Reports supporting incident response - the report shows not only detections, but also risk level, recommendations, and ready-to-use configuration entries.
  • False positive control without disabling the scanner - you can silence a single rule for a specific path or table instead of disabling the entire module.
  • Full automation - the module runs via cron, but every scan can also be launched manually through CLI.

What threats does it help detect?

  • obfuscated PHP code based on e-val, base-64_decode, gzin-flate, and similar techniques,
  • malicious JavaScript injections in CMS content,
  • external iframes and suspicious redirects,
  • SVG payloads and content hidden in data: URI,
  • dangerous links leading to malware, phishing, or unwanted software,
  • unauthorized changes in application files.

Where does the module look for threats?

The module analyzes key store areas where incidents most commonly appear:

  • Magento application and module files,
  • CMS blocks,
  • CMS pages,
  • core_config_data,
  • Magento email and newsletter templates,
  • product content and customer reviews.

Reports and operational response

  • Results are stored in the module dedicated report table.
  • The report can be sent by email to the operator.
  • Each detection may include a risk level, operational guidance, and related rule_id.
  • The report can prepare ready-to-use allowlist suggestions and normalized configuration in JSON.

Example use cases

  • detecting malicious code added after a store breach,
  • monitoring unauthorized changes in deployment files,
  • detecting infected CMS blocks or content in the database,
  • assessing whether a suspicious URL should be added to the allowlist or removed from the system.

Why choose it?

  • Fast deployment - works as a Magento 2 module without additional infrastructure.
  • Practical reporting - the module does not stop at detection, but helps move toward an operational decision.
  • Better alert quality control - allowlists and rule_id help maintain high effectiveness without a flood of false alarms.
  • Well suited for production environments - automatic scans, email reporting, and manual CLI commands support the daily work of the technical team.

Compatibility

  • Magento Open Source 2.3.x - 2.4.x
  • Adobe Commerce / Magento Commerce

What does the package include?

  • Magento 2 module with cron jobs and CLI commands,
  • module administrative configuration,
  • database and email reporting mechanism,
  • advanced detection rules and allowlist system.

Documentation and support

Deployment and configuration documentation is available for the module, and its architecture supports further tuning of rules and security processes in a Magento 2 store.

Improve early incident detection in Magento 2 with Kowal Security Scan.

Change Log

Version: 1.0.27

31.03.2026

We expanded the Kowal_SecurityScan module with new features related to threat analysis and report administration.

New features

  • Added OpenAI integration for analyzing changed files and suspicious database records.
  • Reports and email messages now include risk assessment and recommended actions in the following areas:
    • Magento
    • server
    • firewall
  • Added OpenAI configuration in the Magento panel, including:
    • enable/disable AI analysis
    • API key
    • model selection
    • context limit passed for analysis

Improvements

  • The list of OpenAI models is now fetched dynamically from the API and presented in configuration as a dropdown.
  • Email content has been expanded with Magento store identification:
    • store domain
    • store URL
  • The store domain is also added to the message subject, making it easier to manage multiple instances.

Automation and maintenance

  • Added a new cron job that cleans old entries from the report table.
  • Report retention time is configurable from system.xml as a number of days.

Technical fixes

  • Organized the logic for analyzing suspicious files and records.
  • Improved handling of the data context passed to AI analysis.
  • Removed a DI compilation issue related to the earlier OpenAI client implementation.

Questions and Answers

Question
Does the module allow scanning a Magento 2 store for malicious code and security threats?
Answer
Yes — the module is described as a “Security and Malware Detection Scanner,” which suggests that it automatically analyzes the store’s files for unauthorized changes or harmful code.
Question
After detecting a problem, does the module notify the administrator or allow corrective action to be taken?
Answer
Although the description does not provide all the details, the purpose of the scanner is to detect threats—which typically includes notifications or access to a report—it is worth confirming whether email notifications or an alert panel are available.
Question
Does installing the module require overwriting Magento core or theme files?
Answer
No — modules offered by Kowal are usually extensions compatible with the Magento 2 architecture and do not require modifications to core files. (No information about the need for modification)
Question
Does the module support Magento 2 stores in multi-store and multi-view installations?
Answer
Yes — because the module operates at the level of scanning system files and store security, it is logical that it will also work in a multi-store environment. If in doubt, it is recommended to check the documentation.
Question
Does the module help meet the security recommendations of the Magento platform or the Magento Security Scan Tool?
Answer
Yes — an external scanner (such as Adobe/Magento Security Scan) provides security monitoring and scanning.
Question
Does the module significantly affect the store’s performance, for example when scanning large file directories?
Answer
It is possible that scanning may cause some load; however, security scanners usually run in the background or during off-peak hours. It is recommended to test its operation in a test environment.
Question
Does the module allow scan scheduling (automatic scans), or is it manual only?
Answer
The module description does not clearly specify whether scheduling is available — if automation is important to you, it is worth asking about the possibility of setting up a CRON job or scan schedule.
Question
Does the module allow reporting scan results—for example, which files were changed or whether unauthorized modifications were detected?
Answer
Although the description does not include details, “malicious code detection” functionality typically includes reports or logs—it is worth verifying the level of reporting detail with the manufacturer.
Question
Does the module support the latest versions of Magento 2 (e.g., 2.4.x)?
Answer
On the store page, the module is listed in the section for Magento 2 modules, which suggests compatibility with current versions; however, you should always confirm the list of supported versions.
Question
Do I receive technical support and updates after purchasing the module?
Answer
Yes — the manufacturer states that it provides free updates and technical support for its extensions.
Write Your Own Review
You're reviewing:Magento 2 Module – Security and Malware Detection Scanner
Your Rating

Module Installation Instructions

Module guide Kowal_SecurityScan

Overview

The module extends Magento 2 with a security monitoring layer for application files, selected database tables, suspicious URLs, and optional incident analysis by OpenAI.

Reports are stored in the kowal_securityscan_report table and can be sent by email.

Main features

  • Magento file change scan with comparison to a snapshot,
  • heuristic scan of php, phtml, php5, inc, phar, js, html, htm, svg, htaccess files,
  • PHP token analysis via token_get_all(),
  • scan of selected database tables for malicious HTML, JavaScript, SVG, data: URI, and suspicious URLs,
  • integration with Google Safe Browsing API,
  • optional OpenAI analysis for detections,
  • configurable allowlists for domains, files, content patterns, and rules,
  • reports with ready-to-use allowlist suggestions and normalized JSON configuration export.

Requirements

  • Magento 2,
  • available kowal/base module,
  • working Magento cron,
  • properly configured email sending,
  • optional: OpenAI API key and Google Safe Browsing API key.

Installation

1. Add the package repository

If the package is not available in the default Composer repository, add the source:

composer config repositories.securityscan vcs https://github.com/kowalco/module-securityscan

If the repository requires authorization:

composer config --global --auth github-oauth.github.com

2. Install the package

composer require kowal/module-securityscan

3. Enable the module

php bin/magento module:enable Kowal_SecurityScanphp bin/magento setup:upgradephp bin/magento cache:flush

In a production environment, perform the standard Magento deployment steps according to your deployment process.

Cron and scan schedule

The module registers its own cron group securityscan.

  • kowal_securityscan_filecheck - daily at 00:00,
  • kowal_securityscan_malwarecheck - daily at 01:00,
  • kowal_securityscan_dbcheck - daily at 02:00,
  • kowal_securityscan_cleanup_reports - daily at 02:30.

Without a working Magento cron, automatic scans will not run.

Manual scan execution

To run scans manually, use:

php bin/magento kowal_securityscan:filecheckphp bin/magento kowal_securityscan:malwarecheckphp bin/magento kowal_securityscan:dbcheck

This is the recommended testing method after installation and after configuration changes.

Configuration

Configuration path:

Stores -> Configuration -> kowal -> kowal_security

General settings

  • Enable module
  • Report recipient email address
  • Sender email address
  • Report retention in days
  • Google Safe Browsing API Key
  • Domain allowlist
  • File allowlist
  • Database pattern allowlist
  • File rule allowlist
  • Database rule allowlist

Minimum configuration

  1. enable the module,
  2. set the report recipient address,
  3. set the report sender address,
  4. make sure Magento email sending works,
  5. make sure Magento cron works.

OpenAI analysis

The OpenAI Analysis section lets you extend reports with risk assessment and recommended actions.

Available fields:

  • Enable AI analysis,
  • OpenAI API Key,
  • OpenAI Model,
  • Maximum context for AI.

How to enable

  1. enable Enable AI analysis,
  2. fill in OpenAI API Key,
  3. save configuration,
  4. refresh the configuration form,
  5. select the model.

Default behavior

  • default model: gpt-4.1-mini,
  • default context limit: 12000,
  • values below 2000 are raised to 12000,
  • maximum context limit is 50000.

If OpenAI is disabled or the key is missing, the module still works and uses local heuristics.

Google Safe Browsing

If you fill in the Google Safe Browsing API Key, the module will:

  • check URLs detected in files and the database,
  • check the store base URL.

Missing a key does not block basic scans, it only disables this stage.

File change scan

filecheck works based on a snapshot saved to:

var/security_scan_hashes.json

On the first run:

  • a snapshot is created,
  • there is no change comparison yet,
  • the report informs about creating the reference baseline.

Subsequent runs report changes of type ADDED, MODIFIED, and REMOVED.

The following are skipped, among others:

  • var/,
  • generated/,
  • vendor/,
  • pub/static/,
  • node_modules/.

File malware scan

malwarecheck scans application files based on:

  • regex rules with rule_id,
  • PHP token heuristics,
  • URL checks via Safe Browsing.

Example detection types:

  • file.obfuscated_eval_chain,
  • file.command_execution_from_request,
  • file.encoded_payload_blob,
  • file.token.decode_execute_chain,
  • file.token.include_from_request,
  • file.inline_svg_or_event_handler.

In reports, reasons are presented in the format:

[file.encoded_payload_blob] Encoded payload blob detected

Database scan

dbcheck analyzes selected Magento tables:

  • cms_block,
  • cms_page,
  • core_config_data,
  • email_template,
  • newsletter_template,
  • review_detail,
  • catalog_product_entity_text.

Example rules:

  • db.inline_script_tag,
  • db.html_event_handler,
  • db.external_iframe,
  • db.javascript_uri,
  • db.data_uri_executable,
  • db.embedded_svg_payload,
  • db.javascript_dom_redirect.

Content is normalized beforehand using:

  • html_entity_decode,
  • rawurldecode,
  • whitespace normalization,
  • analysis of multiple variants of the same content.

Advanced configuration: allowlists

Allowlists are used to reduce false positives without disabling the entire module.

1. Domain allowlist

Field: kowal_security/general/allowlisted_domains

Format:

  • one domain per line, or
  • a comma-separated list.
cdn.example.comstatic.example.org

Effect:

  • URLs from these domains will not be treated as suspicious,
  • Safe Browsing will not check them.

2. File allowlist

Field: kowal_security/general/allowlisted_file_patterns

Format:

  • relative paths,
  • glob support.
app/code/Vendor/Module/Test/*pub/media/custom.js

Effect: files matching the pattern are completely skipped by the malware scan. This setting has a broad scope.

3. Database pattern allowlist

Field: kowal_security/general/allowlisted_db_patterns

Format:

  • phrases,
  • HTML or JS fragments,
  • entries separated by a new line or commas.
trusted-inline-widgetdata:image/svg+xml

Effect: a database record containing such a fragment is skipped by the DB scan. This setting also has a broad scope.

4. File rule allowlist

Field: kowal_security/general/allowlisted_file_rules

Preferred format:

path_or_glob | rule_id

Example:

app/code/Vendor/Module/* | file.encoded_payload_blobpub/media/custom.js | file.javascript_redirect_or_rewrite

Backward compatibility:

  • old entries by full rule label still work,
  • new entries should use rule_id.

Effect: only the specified rule is silenced for the specified path, while the rest of the scan for that file still works.

5. Database rule allowlist

Field: kowal_security/general/allowlisted_db_rules

Preferred format:

table_or_* | rule_id

Example:

cms_block | db.inline_script_tag* | db.fetch_or_xhr_loader

Effect: only the specified rule is silenced, while the others still work for that record or table.

Reports

Reports may contain:

  • a list of detections,
  • risk assessment,
  • indicators and recommendations,
  • allowlist candidates after manual verification,
  • normalized allowlist configuration in JSON.

Allowlist suggestions in reports

The report section may contain entries such as:

- cms_block | db.inline_script_tag | confidence=MEDIUM | scope=LOW- app/code/Vendor/Module/* | file.encoded_payload_blob | confidence=MEDIUM | scope=LOW- data:image/svg+xml,

Interpretation:

  • scope=LOW - safer candidate,
  • scope=HIGH - broad silencing, only after strict verification,
  • confidence=MEDIUM/HIGH - more predictable configuration candidate,
  • confidence=LOW - requires caution.

JSON export

The report also contains the Normalized allowlist configuration (JSON) section. This is a ready, deduplicated set of values to copy into the configuration.

Recommended usage flow

  1. run all three scans manually after installation,
  2. treat the first filecheck as snapshot creation,
  3. analyze reports and confirm which detections are real,
  4. for false positives, first use allowlisted_file_rules and allowlisted_db_rules,
  5. only when necessary, use allowlisted_domains, allowlisted_file_patterns, and allowlisted_db_patterns,
  6. after changing configuration, rerun the appropriate CLI scan and check the result.

Operational notes

  • filecheck does not yet report changes as an incident on the first run,
  • the module works without OpenAI and without Safe Browsing, but with lower analysis depth,
  • allowlisted_file_patterns and allowlisted_db_patterns have broad impact and should be used sparingly,
  • the preferred format for rule allowlists is rule_id, not the full text label.

Inne moduły o podobnym zastosowaniu

Powiązane artykuły

Kowal Search Optimizer Implementation in the HiFiStation.pl Store

Kowal Search Optimizer Implementation in the HiFiStation.pl Store

HiFiStation.pl is an online store in the audio industry, offering hi-fi equipment, home theater systems, loudspeakers, headphones, amplifiers, turntables, streamers, accessories, and products from specialist brands. The store operates in a segment where customers very often search for products by model name, symbol, brand, technical abbreviation, or partial product designation.
How to Secure a Magento 2 Store Against Unauthorized Access

How to Secure a Magento 2 Store Against Unauthorized Access

Want your Magento 2 store to be visible only to logged-in customers? The Kowal_ForcedLogin module lets you easily block store access for users who are not logged in, without modifying the code. An ideal solution for B2B stores, test stores, or stores with a private offer.
Products

Specjalna oferta!

Spędziłeś już trochę czasu na przeglądaniu tego produktu. Oto Twój kod rabatowy: