New false positives from malware scan for popular plugins/theme

  • Resolved barnez

    (@pidengmor)


    7 years, 7 months ago

    Hi,

    I’ve been getting a number of false positives across a number of themes/plugins.

    The scan flags certain files as containing malware, but when I compare them (Notepad++) with the original 100% clean files in the WordPress repository they are exactly the same. I know these reports are clearly false positives and so there is no malware, but is there any way to relax the rule that is flagging these files? Or could you add a “whitelist unless the file changes” option, so after verifying as safe by comparing with the original files the site files can be set as safe? This would avoid them returning in future scans. Here are the files: 

    
2-{REX}PHP.array.concatenation.1: /home/xxxx/xxxx/wp-content/plugins/autodescription/inc/classes/core.class.php
3-{REX}PHP.array.concatenation.1: /home/xxxx/xxxx/wp-content/plugins/shortcodes-ultimate/inc/core/tools.php
4-{REX}PHP.array.concatenation.1: /home/xxxx/public_html/wp-content/plugins/autoptimize/classes/external/php/yui-php-cssmin-2.4.8-4_fgo.php
5-{REX}PHP.array.concatenation.1: /home/xxxx/public_html/wp-content/plugins/autoptimize/classes/external/php/yui-php-cssmin-2.4.8-4.php
9-{REX}PHP.array.concatenation.1: /home/xxxx/public_html/wp-content/themes/enfold/framework/php/function-set-avia-frontend.php
    • This topic was modified 7 years, 7 months ago by barnez.
    • This topic was modified 7 years, 7 months ago by barnez.
Viewing 5 replies - 1 through 5 (of 5 total)

  • Or could you add a “whitelist unless the file changes” option […]

    Wouldn’t it be better to fix the scanner so it doesn’t return this false positive? I just got the exact same “{REX}PHP.array.concatenation.1:” on a wp-rocket .php library file, and that file is clean.

    • This reply was modified 7 years, 7 months ago by jackelliott.
    Plugin Author nintechnet

    (@nintechnet)

    I’ll adjust the rule in the next release.
    It is better to use “File Check” for the detection of any modifications and changes and then, in case of issue, to run the “Anti-Malware”. Unlike anti-virus/anti-malware scanners, “File Guard” is 100% reliable: if there is a change, it will always be detected.

    Thread Starter barnez

    (@pidengmor)

    I’ll adjust the rule in the next release.

    Thanks!

    It is better to use “File Check” for the detection of any modifications and changes and then, in case of issue, to run the “Anti-Malware”.

    This is an excellent feature which I do use, but unless I update the File Check after each plugin/theme update then the detected changes include all the updated file changes and can make comparisons seem a bit more difficult. However, the more I think about it, plugin/theme updates usually only modify a few files, so really you are right, File Check should be my first tool for a comparison as it is so simple to carry out.

    Thanks for the feedback @nintechnet. I always use the “File Guard” and I have grown to see the emails after I update a plugin as a friendly reminder that everything is running as intended.

    I wanted to say thanks to you for always keeping on top of things. I reported a false positive some time ago and you included a fix in your next update which happened to be later that same day.

    I also want to report to you that I had this same finding in a malware scan today from the Woocommerce plugin. Which is how I found this thread. I’m not sure if this has the exact same cause (I suspect it may be a bit different which is why I can still see it) but I hope the extra info is of use.

    1-{REX}PHP.array.concatenation.1: /xx…xx/wp-content/plugins/woocommerce/includes/wc-formatting-functions.php
    2-{REX}PHP.array.concatenation.1: /xx…xx/wp-content/plugins/woocommerce/includes/gateways/simplify-commerce/class-wc-gateway-simplify-commerce.php

    Plugin Author nintechnet

    (@nintechnet)

    It is the same issue, you can safely ignore it. We’ll update the signatures in the next release of NinjaFirewall.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘New false positives from malware scan for popular plugins/theme’ is closed to new replies.