Moogento License File Protection · Updated 10 Jul 2026 · 7 min read

Moogento License File Protection: Why Malware Scanners Flag Moo.php (And How to Whitelist It)


Overview

Your host's malware scanner has flagged a Moogento file - usually Helper/Moo.php or Helper/Grassyfield.php - as suspicious.

Nothing is wrong. Your store has not been hacked.

A small number of files in every paid Moogento extension are encoded to protect license enforcement. Malware scanners such as Imunify360 (bundled with most cPanel hosting) look for encoded PHP as a heuristic, so these files can trigger a detection even though they are shipped, unmodified, by us.

The key point: These detections are expected. Add the files to your scanner's ignore list and the warnings stop. Do not let the scanner quarantine or "clean" them - that disables the extension.

This guide lists every encoded file, shows how to whitelist them in cPanel and Imunify360, and explains how to verify the files on your server are genuine.


Why Some Moogento Files Are Encoded

Paid Moogento extensions include a license check. To stop the check being edited out, the handful of files that implement it are encoded at build time and verify their own integrity when they run.

Scanners flag them because the encoding uses the same PHP constructs that real malware droppers use. The scanner cannot tell a licensed extension from an injected backdoor by pattern alone, so it errs on the side of reporting.

Three things distinguish the genuine files from malware:

  • They only exist at the exact paths listed below, shipped inside the extension package
  • They never change after installation - any modification makes the extension stop and report that the file was altered
  • You can verify them against our published integrity manifest at any time (see Verify the files are genuine)

Everything else in the extension - controllers, models, templates, JavaScript - is plain readable PHP. Only the license internals are encoded.


Which Files Are Encoded

Where the files live depends on how the extension was installed.

Composer installs (most common)

vendor/moogento/m2-<extension>/Helper/Moo.php
vendor/moogento/m2-<extension>/Helper/Grassyfield.php

For example vendor/moogento/m2-pickpack/Helper/Moo.php and vendor/moogento/m2-pickpack/Helper/Grassyfield.php. Some extensions ship only Moo.php.

The shared license component, installed with every paid extension:

vendor/moogento/m2-license/Helper/Data.php
vendor/moogento/m2-license/Crypt/PublicKey/Rsa.php
vendor/moogento/m2-license/Crypt/PublicKey/RsaOptions.php
vendor/moogento/m2-license/Service/KeyDataProvider/KeyDataProvider.php

PickNScan additionally encodes its per-user seat licensing:

vendor/moogento/m2-picknscan/Helper/License/AssignedUser/*.php
vendor/moogento/m2-picknscan/Helper/License/AssignedUser/Gateway/*.php

app/code installs

If the extension was installed by copying files rather than via Composer, the same files sit under app/code:

app/code/Moogento/<Extension>/Helper/Moo.php
app/code/Moogento/<Extension>/Helper/Grassyfield.php
app/code/Moogento/License/Helper/Data.php
app/code/Moogento/License/Crypt/PublicKey/Rsa.php
app/code/Moogento/License/Crypt/PublicKey/RsaOptions.php
app/code/Moogento/License/Service/KeyDataProvider/KeyDataProvider.php
app/code/Moogento/Picknscan/Helper/License/AssignedUser/*.php
app/code/Moogento/Picknscan/Helper/License/AssignedUser/Gateway/*.php

No other Moogento files are encoded. If a scanner flags a Moogento file outside these paths, treat it as a real detection and contact Moogento support with the scanner report.


Add the Files to the Imunify360 Ignore List

Imunify360 ignore entries are absolute paths and accept * wildcards.

From cPanel (your own account)

  1. In cPanel, open Imunify360.
  2. Open the Ignore List tab.
  3. Select Add new file or directory and add each pattern below, replacing /home/ACCOUNT/public_html with your account's document root:
/home/ACCOUNT/public_html/vendor/moogento/*/Helper/Moo.php
/home/ACCOUNT/public_html/vendor/moogento/*/Helper/Grassyfield.php
/home/ACCOUNT/public_html/vendor/moogento/m2-picknscan/Helper/License/AssignedUser/*
/home/ACCOUNT/public_html/vendor/moogento/m2-license/Helper/Data.php
/home/ACCOUNT/public_html/vendor/moogento/m2-license/Crypt/PublicKey/*
/home/ACCOUNT/public_html/vendor/moogento/m2-license/Service/KeyDataProvider/KeyDataProvider.php

For an app/code install, use these instead:

/home/ACCOUNT/public_html/app/code/Moogento/*/Helper/Moo.php
/home/ACCOUNT/public_html/app/code/Moogento/*/Helper/Grassyfield.php
/home/ACCOUNT/public_html/app/code/Moogento/Picknscan/Helper/License/AssignedUser/*
/home/ACCOUNT/public_html/app/code/Moogento/License/Helper/Data.php
/home/ACCOUNT/public_html/app/code/Moogento/License/Crypt/PublicKey/*
/home/ACCOUNT/public_html/app/code/Moogento/License/Service/KeyDataProvider/KeyDataProvider.php

If your Magento root is not public_html (many hosts deploy to a subfolder and point the domain at pub/), adjust the prefix to match - the part after the Magento root stays the same.

From the command line (server administrators)

Hosts managing multiple accounts can add server-wide wildcard patterns in one pass, as root:

for p in \
  "/home/*/public_html/vendor/moogento/*/Helper/Moo.php" \
  "/home/*/public_html/vendor/moogento/*/Helper/Grassyfield.php" \
  "/home/*/public_html/vendor/moogento/m2-picknscan/Helper/License/AssignedUser/*" \
  "/home/*/public_html/vendor/moogento/m2-license/Helper/Data.php" \
  "/home/*/public_html/vendor/moogento/m2-license/Crypt/PublicKey/*" \
  "/home/*/public_html/vendor/moogento/m2-license/Service/KeyDataProvider/KeyDataProvider.php" \
  "/home/*/public_html/app/code/Moogento/*/Helper/Moo.php" \
  "/home/*/public_html/app/code/Moogento/*/Helper/Grassyfield.php" \
  "/home/*/public_html/app/code/Moogento/Picknscan/Helper/License/AssignedUser/*" \
  "/home/*/public_html/app/code/Moogento/License/Helper/Data.php" \
  "/home/*/public_html/app/code/Moogento/License/Crypt/PublicKey/*" \
  "/home/*/public_html/app/code/Moogento/License/Service/KeyDataProvider/KeyDataProvider.php" \
; do imunify360-agent malware ignore add "$p"; done

The quotes matter - they stop the shell expanding * before Imunify360 stores the pattern. Verify with:

imunify360-agent malware ignore list

Note: the ignore list only covers the malware scanner. If Imunify360's Proactive Defense blocks one of these files at runtime, add the reported script path to Proactive Defense > Ignore List as well.

Other scanners

The same file lists work for any scanner that supports path exclusions - Maldet (/usr/local/maldetect/ignore_paths), ClamAV wrappers, MageReport-style external scans, and the built-in scanners in hosting panels such as Plesk. Whitelist the paths above; leave everything else scanned.


Verify the Files Are Genuine

You do not need to take our word for it. Every Moogento extension release publishes a SHA-256 manifest of its files, and the extension ships a verification command:

php bin/magento moogento:verify-integrity --module=<ExtensionName>

The command hashes every file in the installed extension - including the encoded ones - and compares them against the manifest for that exact version. Add --remote to also check against the canonical manifest published at moogento.com, so a tampered local manifest cannot hide a change. A clean result means every file on your server is byte-for-byte what we shipped.

Run it whenever a scanner report worries you, after restoring from backup, or as part of a security audit. Your host's security team can run it too - it is read-only.


If a File Was Already Quarantined

If the scanner quarantined or modified one of these files before you whitelisted it, the extension stops working - typically with a blank admin section for that extension, or the message "The file was modified" in logs or output.

To recover:

  1. Add the ignore-list entries above so it does not happen again.
  2. Restore the original file:
    • Composer install: run composer install (or composer require moogento/m2-<extension> again) to re-download the package, then php bin/magento setup:upgrade && php bin/magento cache:flush.
    • app/code install: re-download the extension zip from your Moogento account and re-copy the extension folder, then run the same two commands.
  3. Confirm the restore with php bin/magento moogento:verify-integrity --module=<ExtensionName>.

Do not restore a quarantined copy from the scanner's quarantine vault if it offers to "clean" the file first - a cleaned file is a modified file, and the extension will refuse to run it.


Is Moo.php a virus?

No. Moo.php (and Grassyfield.php) are the license-check helpers shipped inside every paid Moogento extension. They are encoded to prevent tampering, which is why malware scanners flag them. They exist only at the documented paths, never change after installation, and can be verified against our published integrity manifest with php bin/magento moogento:verify-integrity.

Can I delete Grassyfield.php or Moo.php?

No. Deleting either file breaks the extension - Magento's dependency injection expects the class, so pages that use the extension stop rendering. If a scanner already removed one, restore it by re-downloading the package as described in If a file was already quarantined.

Why can't I read the file contents?

The file body is intentionally encoded so the license check cannot be edited out. This is standard practice for commercial Magento extensions. Every other file in the extension is plain PHP you can read and audit, and the encoded files can be verified against our integrity manifest.

Will these files fail a PCI or security audit?

They should not, once documented. Auditors care about unexplained encoded code; these files are explained, inventoried at fixed paths, verifiable against a vendor-published manifest, and covered by this page. Share this guide and the output of php bin/magento moogento:verify-integrity with your auditor.

My scanner flagged a Moogento file not on this list - what now?

Treat it seriously. Only the paths on this page are encoded by us. A flagged Moogento file outside these paths could be a genuine compromise using our folder as camouflage. Run php bin/magento moogento:verify-integrity --module=<ExtensionName> and contact Moogento support with the scanner report - we will confirm quickly either way.