Watcher mode
In this mode home directory or the document root of all user accounts are monitored for any changes. inotify tools are used in the plugin to watch entire directory trees recursively. When a file is modified, uploaded or created this change is detected by the plugin and the corresponding file is scanned using ClamAV. This means that no matter how the files are uploaded, ie via FTP or HTTP, or even if the files are copied over to the server, these files are immediately scanned and if malicious files are detected they are automatically removed by the plugin.
This mode can be enabled in any server irrespective of the webserver or FTP server used. This is because the plugin constantly monitors for any changes in the server and does not depend on webserver or ftp server to detect the uploaded files.
Watcher Mode Options
Select Entire home directory to monitor /home or select public_html to monitor only the document root of all user accounts.
The scan reports of all created, modified and moved files that are being monitored can be found under Watch log tab.
Filter mode
In this mode files uploaded through HTTP and FTP are monitored to detect and remove any malicious files. HTTP filtering uses mod_security and hence mod_security must be installed in the server for this mode to work. This mode is best suited for the servers where Apache is the default webserver.
Filter Mode Options
Select the FTP server used, ie either PureFTPd or ProFTPD.
There is also an option to disable HTTP filter as well as FTP filter.
Uncheck HTTP/FTP filter to disable it.
Files uploaded through HTTP and FTP can be found under HTTP tab and FTP tab respectively in the plugin interface.
Rejected tab in the interface shows all the malicious files that have been detected and rejected by the plugin.