Error loading signatures in Anti-Malware feature

I completely control the servers.

In the /nfwlog/cache folder are the following files

nfdbhash.1.php
index.html
livelog.php

When I run the livelog this file is added

livelogrun.php and results show in the livelog window

If you have root access, it is easy to monitor what’s going on.
Install inotify-tools:

-Debian (incl. Ubuntu, Mint etc):

# apt-get install inotify-tools

– Red Hat (incl. CentOS):

# yum --enablerepo=epel -y install inotify-tools

Then, monitor file creation, modification and deletion in the /nfwlog/cache/ folder:

$ inotifywait -me create,modify,close_write,delete /full/path/to/wp-content/nfwlog/cache/

Replace /full/path/to/wp-content/nfwlog/cache/ with the correct path.
Leave the terminal open, go to the Anti-Malware page and run the scan.
Afterwards, press ‘CTRL-C’ in your terminal and simply post the results here.

Setting up watches.
Watches established.

Nothing happens

Try to monitor accesses only:

$ inotifywait -me access /full/path/to/wp-content/nfwlog/cache/

And also, try to monitor accesses to the signature files /ninjafirewall/lib/share/sigs.txt (make sure the sigs.txt is located inside that folder):

$ inotifywait -me access /full/path/to/wp-content/plugins/ninjafirewall/lib/share

Setting up watches.
Watches established.
wordpress/wp-content/nfwlog/cache/ ACCESS nfdbhash.1.php

And for the ../lib/share folder nothing happens

Setting up watches.
Watches established.

Does the /ninjafirewall/lib/share/sigs.txt exist? Because there is not even an attempt to open it for reading.

You can try to monitor accesses to the whole NinjaFirewall’s folder (recursively):

$ inotifywait -mre access,open /full/path/to/wp-content/plugins/ninjafirewall/

The /ninjafirewall/lib/share/sigs.txt certainly exists.

Selecting the Linux Malware Detect + NinjaFirewall signature and then pressed the Scan button:

inotifywait -mre access,open .../wordpress/wp-content/plugins/ninjafirewall/
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN nfw_misc.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN,ISDIR
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN install.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS install.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN help.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS help.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN fw_malwarescan.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN firewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/lib/ OPEN nfw_misc.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN,ISDIR
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS uninstall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS ninjafirewall.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN install.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS install.php
.../wordpress/wp-content/plugins/ninjafirewall/ OPEN help.php
.../wordpress/wp-content/plugins/ninjafirewall/ ACCESS help.php

It is not found in the list.
The firewall looks for it twice:
-When loading the Anti-Malware page. It finds it because it does not display any error message.
-When running the scan. It does not find it.

Both use the same script and same constant, /lib/nf_sub_malwarescan.php line 36:

define('MSC_LMD_SIGS', __DIR__ . '/share/sigs.txt' );

Can you try to replace __DIR__ . with the full path to the script:

define('MSC_LMD_SIGS', '/full/path/to/share/sigs.txt' );

Changed it, but no difference, same output

Maybe an issue with wp-cron?
Make sure that, when you run the scan, you have a similar doing_wp_cron line before the multiple admin-ajax.php calls in your HTTP access log:

"POST /wp-cron.php?doing_wp_cron=xxxxxxx HTTP/1.0"
"POST /wp-admin/admin-ajax.php HTTP/1.1"
"POST /wp-admin/admin-ajax.php HTTP/1.1"
"POST /wp-admin/admin-ajax.php HTTP/1.1"
...

No wp-cron job there. I did not disable cron in wp-config file.

That’s your problem: NinjaFirewall spawns a cron to run the scanning process. It is ran immediately, not scheduled, which means it does not matter if cron is disabled or not.
You need to find out why wp-cron.php is not triggered and to fix it.

I really do not know why the cronjob is not working. I have defined the alternate cron in wp-config.php

define('ALTERNATE_WP_CRON', true);

Now the

"POST /wp-cron.php?doing_wp_cron=xxxxxxx HTTP/1.1"

is running.

But still the same error in running the scan

This does not work and returns the same error message as yours

define('ALTERNATE_WP_CRON', true);

This works:

define('ALTERNATE_WP_CRON', false);

I’ll have to check if/how we can make it works with the ALTERNATE_WP_CRON.

Ok tnx, wait for that. I really do not know how to make sure the cron spawn works as for some reason this does not work anymore on several wordpress installations on different servers

I have a question about using cron in your code.
Why do you need it to execute the scan?