Hello,
A nice feature would be to block the IP that uploaded the malicious file, like pure-uploadscript or mod_security rules. This might be done with a similar logic to this (I think):
1) cxswatch sees a virus or fingerprint
2) Check /var/log/messages (last X lines) to see if the same filename was uploaded via FTP
3) Check /usr/local/apache/domlogs/username/* (last X lines) to see which IP performed a POST at that second
4) Block that IP
Blocking IP while using cxswatch
Re: Blocking IP while using cxswatch
If you want FTP or HTTP blocking then you need to use those options already available in cxs, i.e. the pure-ftpd hook and the ModSecurity hook.