It is very important whilst running a Magento 2 store, to perform regular malware scans. Although, it seems that most stores decide not to which is alarming. The current gold standard for scanning Magento 2 stores is Ecomscan by Sansec.io. They provide one of, if not the best, Magento specific scanning tools.
You can trigger one off scans very easily from the server CLI by running the following command and following the prompts. It even gives you the option to configured it via CRON for regular future runs.
curl "https://ecomscan.com" | sh
With a little bit of configuration, you can run it on a schedule and get reports/slack notifications if malware is detected, both in files and the database. It even covers Wordpress databases if your using Fishpig for your blog!
Although, not all Gems are without flaws. The big pain-point of Sansec Ecomscan is the price. Coming in at €200 per month for a regular single installation license, unfortunately makes it out of reach for a lot of smaller/medium sized Merchants. The agency discounts do drop it to a much more pallet amount, starting at €45eur per installation. But that depends if you got the scope to onboard at least 10 clients.
Sansec Ecomscan does provide a free trial version, which is definitely better than nothing. Some features are limited such as report type, slack notifications and most importantly it won’t tell you what malware/files are infected. Instead you get told how many malware samples was detected, their creation & modify timestamps, and if they was detected in the files or database scan.
I also use a simple Ansible playbook, that allows me to run Sansec Ecomscan against all the sites I manage from a single command. (Also via a scheduled GitHub action).
I find this a great way of running it, especially when working with short term contract clients.