![\"What](\"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/image-18.png\")
<\/figure>\n\n\n\ncxs (often miswritten as \u201cCSX\u201d) is a paid Linux malware scanner from ConfigServer designed primarily for cPanel\/WHM servers. It inspects files uploaded via<\/a> PHP, FTP, mail, and web interfaces, using signature and heuristic checks to catch web shells, backdoors, and code injections. cxs integrates with CSF\/LFD, ClamAV, Pure FTPd, and ModSecurity for real time detection and automated quarantine.<\/p>\n\n\n\n For single site setups or non cPanel servers, you can still use cxs via CLI, but its WHM plugin makes it most compelling on cPanel\/WHM.<\/p>\n\n\n\n Note: <\/strong>While cxs can run without cPanel, this installation guide focuses on the cPanel\/WHM path since that\u2019s the most common and user friendly approach.<\/p>\n\n\n\n cxs is a paid product sold directly by ConfigServer. Purchase one license per server and make sure your server\u2019s public IP is licensed. Keep your license credentials handy; you\u2019ll need them during installation.<\/p>\n\n\n\n The steps below assume AlmaLinux\/CloudLinux\/RHEL family with dnf. Substitute yum if you\u2019re on older CentOS.<\/p>\n\n\n\n If you don\u2019t have CSF\/LFD installed, consider adding it before cxs. CSF improves alerting and integration with cxs.<\/p>\n\n\n\n Use the official installer from ConfigServer. The URL below is commonly used; always verify the current download link with the vendor.<\/p>\n\n\n\n Follow on screen prompts. The installer will verify the license and set up the WHM plugin. If ClamAV is installed, cxs will use it for extra detection coverage.<\/p>\n\n\n\n Log in to WHM > Plugins > ConfigServer eXploit Scanner. From here you can configure scanning behavior, quarantine options, and integrations. This is the easiest place to manage cxs if you prefer not to use the CLI.<\/p>\n\n\n\n Start with quarantine enabled for dangerous file types (PHP shells, obfuscated scripts) and report only for low confidence patterns until you\u2019ve tuned false positives.<\/p>\n\n\n\n Enable cxs Watch to monitor user directories via inotify. This blocks malicious uploads as they appear. You can start and stop cxs Watch from the WHM plugin. If it fails to start on busy servers, increase inotify limits (see troubleshooting below).<\/p>\n\n\n\n These integrations improve catch rates but add overhead. Test performance during off peak hours and whitelist known safe file types or paths to reduce noise.<\/p>\n\n\n\n Even with real time scanning enabled, schedule daily or hourly scans to catch dormant malware and deep nested shells.<\/p>\n\n\n\n Adjust frequency, quarantine behavior, and reporting to fit your environment. Start conservatively and review reports frequently until you trust your tuning.<\/p>\n\n\n\n While WHM is simpler, cxs shines at the CLI for targeted scans and automation.<\/p>\n\n\n\n Tip: Start with report only scans to benchmark false positives, then enable quarantine on high confidence signatures or paths that frequently attract web shells (e.g., writable upload directories).<\/p>\n\n\n\n Prevent unnecessary alerts by excluding trusted paths and patterns. Use the cxs ignore files to whitelist known safe files, directories, users, or extensions.<\/p>\n\n\n\n Keep exclusions tight. Whitelisting broad directories undermines security. Revisit ignores as your stack evolves.<\/p>\n\n\n\n cxs is a detection and response layer. Pair it with strong patching, isolation (e.g., CageFS), and a secure web application firewall for maximum protection.<\/p>\n\n\n\n\n
\n\n\n\nWho should use cxs? (Search Intent: Is cxs right for me?)<\/h2>\n\n\n\n
\n
Requirements and Prerequisites<\/h2>\n\n\n\n
\n
Buy and License cxs<\/h2>\n\n\n\n
\n\n\n\nInstall cxs on a cPanel\/WHM Server: Step by Step<\/h2>\n\n\n\n
1) Update the server and install prerequisites<\/h3>\n\n\n\n
sudo dnf -y update\nsudo dnf -y install perl wget tar unzip\n# Optional but recommended: ClamAV (enable EPEL if needed)\nsudo dnf -y install epel-release\nsudo dnf -y install clamav<\/a> clamav-update\nsudo freshclam<\/code><\/pre>\n\n\n\n2) Download and run the cxs installer<\/h3>\n\n\n\n
cd \/usr\/src\nrm -f cxsinstaller.tgz\nwget https:\/\/download.configserver.com\/cxsinstaller.tgz\ntar -xzf cxsinstaller.tgz\ncd cxsinstaller\nsh install.sh<\/code><\/pre>\n\n\n\n3) Access the WHM plugin<\/h3>\n\n\n\n
\n\n\n\nCore Configuration in WHM (Recommended Settings)<\/h2>\n\n\n\n
Enable quarantine and alerting<\/h3>\n\n\n\n
\n
Real time upload scanning (cxs Watch)<\/h3>\n\n\n\n
Optional: ModSecurity and FTP integration<\/h3>\n\n\n\n
\n
\n\n\n\nScheduling Routine Scans (Cron)<\/h2>\n\n\n\n
# Example: nightly scan of all cPanel users with a report\n# Run as root: crontab -e\n0 3 * * * \/usr\/sbin\/cxs --cron --allusers --quarantine --report \/root\/cxs-nightly.txt --quiet<\/code><\/pre>\n\n\n\nCommand Line Basics (for power users)<\/h2>\n\n\n\n
# Help and options\ncxs --help\n\n# Scan a specific account or directory\ncxs --scan \/home\/username\/public_html --quarantine --report \/root\/cxs-username.txt\n\n# Real-time watch (example: monitor user homes)\ncxs --watch \/home\n\n# Stop the watch (use WHM plugin preferred)\n# Alternatively, identify the watch process and stop it during maintenance windows<\/code><\/pre>\n\n\n\nWhitelisting and Exclusions<\/h2>\n\n\n\n
# Common ignore files (examples)\n# Global paths and patterns to ignore\n\/etc\/cxs\/cxs.ignore\n\n# Users to ignore (be cautious with this)\n\/etc\/cxs\/cxs.ignore_user\n\n# Example entries (paths or regex-style patterns)\n# \/home\/username\/public_html\/cache\/\n# \/home\/username\/tmp\/\n# *.log\n# *.bak<\/code><\/pre>\n\n\n\nTroubleshooting and Performance Tips<\/h2>\n\n\n\n
\n
echo \"fs.inotify.max_user_watches=524288\" >> \/etc\/sysctl.conf\necho \"fs.inotify.max_user_instances=1024\" >> \/etc\/sysctl.conf\nsysctl -p<\/code><\/pre>\n\n\n\n\n
Security Hardening: Best Practices with cxs<\/h2>\n\n\n\n
\n
cxs vs. Alternatives (Imunify, Maldet, ClamAV)<\/h2>\n\n\n\n