1. Check that the alert emails are being sent and received. If you have --mail root in your command line, make sure you
have set up a root forwarder (to a WORKING email address) in WHM > Change System Mail Preferences > root's email.
Please note that you cannot set the root forwarder to "root" as this will set up
a mail loop and root emails will never be delivered.
To ensure that cxs alert emails for web script uploads can be sent, the
following two options in WHM > Tweak Settings should be disabled
- Track email origin via X-Source email headers > Should be OFF
- Prevent "nobody" from sending mail > Should be OFF
2. Set up logging (see FAQ
) and tail the log as you do some testing (see FAQ
). Make sure you chmod your logfile 666.
3. Make sure you have not whitelisted the cPanel account, domain, or cxs mod_security rule (1010101) in your
mod_security configuration, for example using ConfigServer ModSecurity Control.
4. Make sure you only have one
uncommented cxs command line in your cxscgi.sh file.
For example, here both lines are uncommented:
/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
/usr/sbin/cxs --quiet --cgi --mail root --quarantine /home/quarantine/ \
--logfile /var/log/cxs.log "$1"
You should comment out with a '#' the line you do NOT want to use, like this:
# /usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
/usr/sbin/cxs --quiet --cgi --mail root --options mMOfSGchednwT \
--quarantine /home/quarantine/ --logfile /var/log/cxs.log "$1"
(Note: The backslash (\) allows you to split a long command line onto two lines.)
5. Make sure the file permissions are correct on these files in /etc/cxs:
6. Run your scan command line and carefully check the scan report. It will show you the full command line that was used,
including all the options that were used for the scan. Some of these options may be due to default settings set through the
WHM UI. If the options are not what you expect or want, you should either change the default settings or explicitly override
them in the command you are running (i.e. in your cron job, interactive command line scan, or cxscgi.sh or cxsftp.sh scripts).
7. Make sure mod_security is actually enabled. In your
/usr/local/apache/conf/modsec2.cpanel.conf file, you should see the following line:
This should be set to "On", not "DetectionOnly".
8. We do not support using cxs mod_security webscript upload scanning
with alternative web servers such as Nginx or Litespeed, so if you are
using one of those and are having problems, you should either contact
the webserver developers, or enable Apache again.