1. Check that the alert emails are being sent and received. If you have --mail root in your command line, make sure you have set up a root forwarder (to a WORKING email address) in WHM > Change System Mail Preferences > root's email. Please note that you cannot set the root forwarder to "root" as this will set up a mail loop and root emails will never be delivered.
To ensure that cxs alert emails for web script uploads can be sent, the following two options in WHM > Tweak Settings should be disabled:
3. Make sure you have not whitelisted the cPanel account, domain, or cxs mod_security rule (1010101) in your mod_security configuration, for example using ConfigServer ModSecurity Control.
4. Make sure you only have one uncommented cxs command line in your cxscgi.sh file. For example, here both lines are uncommented:
/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1" /usr/sbin/cxs --quiet --cgi --mail root --quarantine /home/quarantine/ \ --logfile /var/log/cxs.log "$1"
You should comment out with a '#' the line you do NOT want to use, like this:
# /usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1" /usr/sbin/cxs --quiet --cgi --mail root --options mMOfSGchednwT \ --quarantine /home/quarantine/ --logfile /var/log/cxs.log "$1"
(Note: The backslash (\) allows you to split a long command line onto two lines.)
5. Make sure the file permissions are correct on these files in /etc/cxs:
cxs.xtra 644 cxs.defaults 644 cxs.ignore 644 cxscgi.sh 755 cxsftp.sh 755
6. Run your scan command line and carefully check the scan report. It will show you the full command line that was used, including all the options that were used for the scan. Some of these options may be due to default settings set through the WHM UI. If the options are not what you expect or want, you should either change the default settings or explicitly override them in the command you are running (i.e. in your cron job, interactive command line scan, or cxscgi.sh or cxsftp.sh scripts).
7. Make sure mod_security is actually enabled. In your /usr/local/apache/conf/modsec2.conf file, you should see the following line:
This should be set to "On", not "DetectionOnly".
8. We do not support using cxs mod_security webscript upload scanning with alternative web servers such as Nginx or Litespeed, so if you are using one of those and are having problems, you should either contact the webserver developers, or enable Apache again.