CXS does not seem to be detecting files uploaded via web scripts. What should I check to find out why it's not working?

1. Check that the alert emails are being sent and received. If you have --mail root in your command line, make sure you have set up a root forwarder (to a WORKING email address) in WHM > Change System Mail Preferences > root's email. Please note that you cannot set the root forwarder to "root" as this will set up a mail loop and root emails will never be delivered.

To ensure that cxs alert emails for web script uploads can be sent, the following two options in WHM > Tweak Settings should be disabled:

• Track email origin via X-Source email headers > Should be OFF
• Prevent "nobody" from sending mail > Should be OFF

2. Set up logging (see FAQ) and tail the log as you do some testing (see FAQ). Make sure you chmod your logfile 666.

3. Make sure you have not whitelisted the cPanel account, domain, or cxs mod_security rule (1010101) in your mod_security configuration, for example using ConfigServer ModSecurity Control.

4. Make sure you only have one uncommented cxs command line in your cxscgi.sh file. For example, here both lines are uncommented:

/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
/usr/sbin/cxs --quiet --cgi --mail root --quarantine /home/quarantine/ \
        --logfile /var/log/cxs.log "$1"

You should comment out with a '#' the line you do NOT want to use, like this:

# /usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
/usr/sbin/cxs --quiet --cgi --mail root --options mMOfSGchednwT \ 
        --quarantine /home/quarantine/ --logfile /var/log/cxs.log "$1"

(Note: The backslash (\) allows you to split a long command line onto two lines.)

5. Make sure the file permissions are correct on these files in /etc/cxs:

cxs.xtra      644
cxs.defaults  644
cxs.ignore    644
cxscgi.sh     755
cxsftp.sh     755

6. Run your scan command line and carefully check the scan report. It will show you the full command line that was used, including all the options that were used for the scan. Some of these options may be due to default settings set through the WHM UI. If the options are not what you expect or want, you should either change the default settings or explicitly override them in the command you are running (i.e. in your cron job, interactive command line scan, or cxscgi.sh or cxsftp.sh scripts).

7. Make sure mod_security is actually enabled. In your /usr/local/apache/conf/modsec2.cpanel.conf file, you should see the following line:

SecRuleEngine On

This should be set to "On", not "DetectionOnly".

8. We do not support using cxs mod_security webscript upload scanning with alternative web servers such as Nginx or Litespeed, so if you are using one of those and are having problems, you should either contact the webserver developers, or enable Apache again.