The Files page is the core of the Monarx Antivirus suite. While our RASP service (ThreatShield) monitors live execution, the Files page focuses on on-disk security. Our AI Engine continuously scans your file systems to catalogue and neutralize threats before they can even be triggered.
Understanding File Classifications
Monarx categorizes on-disk findings into three distinct levels of risk:
MALICIOUS: Files designed with 100% harmful intent, such as standalone web shells, backdoors, or ransomware.
COMPROMISED (Injections): Legitimate files (like a WordPress core file) that have been "injected" with a snippet of malicious code.
PUA (Potentially Unwanted Application): Software that may not be strictly "malware" but is often used for gray-hat activities, such as file managers, miners, proxy scripts, or tools that decrease server performance.
Reporting and Data Export
If you need to perform an external audit or provide a list of infected files to a customer, the dashboard makes it simple.
Click the download button on the top right to generate a comprehensive CSV report of all catalogued files currently visible in your filtered view.
Then on the sidebar dialog that renders, select the option between downloading all records, or just the last 5000 records. Then select a name and description and click on SUBMIT to start the generation and downloading of the report.
The File Analytics Table
Every file identified by the AI Engine is logged with extensive metadata to help you perform forensics. The default columns include:
Discovered: The date and time the file was first identified on the disk.
Event Type: The current status of the file within the Monarx lifecycle:
Discovered: The file is identified but no action has been taken yet.
Quarantined: The file has been moved to a secure, non-executable folder.
Deleted: The file has been removed from the server.
Cleaned/Overwritten: Malicious code was stripped out, or the file was replaced with a known-safe version.
Classification: The risk level (Malicious, Compromised, or PUA).
User: The Linux system user who owns the file on the server.
Path: The absolute directory path to the file.
URL: If the file was accessed via the web, the specific URL used.
Client IP: The IP address of the visitor who last interacted with this file (if available).
Size: The size of the file on the disk.
SHA256: The unique digital fingerprint (hash) of the file.
Event ID: The unique tracking number for this specific detection.
Advanced Filtering & Use-Cases
With dozens of filters available (including Path, User, SHA256, and Event Type), you can pinpoint exactly what is happening in your environment.
5 Use-Case Examples for File Forensics:
Mass Cleanup Verification: Filter by
Event Type: CleanedandDiscovered: [Last 24 Hours]to generate a report for a client showing exactly how many files Monarx automatically fixed for them today.
Identifying "Patient Zero": If a specific user is constantly getting reinfected, filter by
User: [Username]andClassification: Malicious. This helps you see if they have a hidden directory full of backdoors.
Tracking CMS Vulnerabilities: Filter by
Path: */wp-content/uploads/* andExtension: .php. Since PHP files should rarely exist in an uploads folder, this quickly finds "hidden" shells uploaded through vulnerable plugins.
Global Threat Hunt: If you find a suspicious file on one server, copy its
SHA256and filter your entire company fleet by that hash. This reveals if the same attacker has placed that exact file on other servers.
Audit PUA Impact: Filter by
Classification: PUA. This is excellent for hosting providers who want to find users running "resource-heavy" scripts like crypto-miners that aren't technically malware but might violate Terms of Service of hosting companies.
💡 Useful Tip: If you have a specific use-case or have questions on how to use the multiple filters to drill down to the exact information that you're looking for, do not hesitate to contact our Support team.