WPwebbouw

I was notified of this threat yesterday by a scan of my NAS Antivirus scanner. It concerns the file jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js. I examined the file and to me it looks like a false positive.

I noticed the NAS Antivirus definitions file was updated a few days ago, so there may be a newly added signature that matches a string inside this file, which is quite small by the way. The supposed threat was found in a backup dated 2016-11-29. The readme says it is Jetpack version 4.4.1. (stable tag)

Could the developer please check this file and confirm or reject the threat?

Erik

Look here for a screenshot of the wysija tables in this install:
https://e-rikserver.nl/wysija-tables.png

Ah, I see. Thanks for explaining.

Erik

After a new scan all critical problems have disappeared. Still it would be nice if WF could find solution for these false positives as they undermine my alertness for wf warnings I receive. I receive dozens of emails from wf daily for about 50 websites and if there’s a critical problem with a WP core file this should be such alarming news that I immediately want to go find out what’s happening. If in 99 of the cases these severe alerts are false positives I may get less attentive if one day a real modification passes by.

Hi Mark,

Thank you for your reply.

Hope that helps clarify what happened here.

As a matter of fact: no. Not really.
You make it seem as if the problem only applies to readme’s. As I wrote in my previous comment: the large number of false positives do not exclusively occur in readme’s.
And you haven’t explained how it is possible that so many false positives occur. It would really clarify things if you would describe the process that leads to those false positives. What exactly is being compared to what and when? Is this possibly related to the moment a plugin or theme is updated by the developer? Could I get less false positives if I waited a bit before updating? Or is it all due to developers not following the right procedures? If so, then which faults do they make?

Thank you Matt for your explanation. However, it does not make sense to me. As far as I understand the way Wordfence operates is it compares the files of WordPress core, themes and plugins against their originals in the WordPress repository. When a difference is found, Wordfence issues a warning. Very often these alterations are obviously applied by the developer. So how can it be those altered files are not in the repository? I can only guess this is caused by a developer who has forgotten to upload an altered file to the repository. But my guessing is not good enough. In our common quest to make websites more secure, a clear understanding of how things happen is key. That is why to me it is not sufficient if a Wordfence rep states that changes to readme files are usually ok. Especially when this occurs to a Wordfence readme file, as happened this morning, I want to know how it is possible such a difference can occur and why it so often occurs after an update. If anyone can analize how this is possible it must be the Wordfence staff, especially in this case.

Please clarify what is causing the false positives, that occur strikingly often, but not exclusively, in readme files.

My main concern is that too many warnings undermine security, as I become less alarmed by them if nine out of ten times they concern a false positive.

@sebastien I encountered the same error on a client’s site. Installed the 3.02 version from Github and the error is gone; the checkout process proceeds normally.

Erik de Vries
wpwebbouw.nl

Same here as with @wpblogwriter. I noticed this afternoon Wordfence Activity notifications from 10 sites where I had re-imported the settings after the last bug that resetted the settings. Checked one of the sites and there is no wordfence_email_activity_report in the scheduled jobs. Also the “Enable email summary” checkbox has not been turned back on.

I changed the settings less than 2 weeks ago. Could be these emails had already been scheduled then in a cron job that was not cancelled upon import.

Ok, I see. Accidents happen. Good to know you have pinpointed the cause and thanks for your reply. I will check the installations I manage.

By the way, this is not about me needing help configuring my tools, this is about me informing you your plugin is subject to – probably false positive but nevertheless – warnings issued by a well known security organisation that is widely respected in the WordPress community. If that is fine with you, allright.

Hi David,

I read your FAQ. It says: “The right way to perform this check would be by comparing your installed plugin with the plugin that was originally downloaded.” I seriously doubt that this would be the right way.

Did you or any other of the Updraftplus crew discuss this with the Wordfence guys? To me it seems impossible how they could distinguish which unversioned version a user’s has installed.

I think it would be far more easy for all parties involved if plugin publishers would stick to the rule that any change to any part of the published code means another version number. If changes are small, like the mentioning of another co-author in a readme file, then why wouldn’t you wait until the next update? Just collect those small and insignificant changes and publisch them all in the next official version. I mean, what’s the point of making changes between versions if they are small and insignificant?

So your FAQ post does not convince me. I think making changes in a current version without changing the version number is bad practice.

Besides, it would be an impossible job for Wordfence to keep track of all undocumented changes plugin autors publish without changing version numbers. How could they possibly do that?

Erik

Works! Thank you Julio for the quick fix.
Erik

Same experience here. How to f*ck up a previously perfect plugin. Thanks to mojowill I can continue to use the original spam free version. See https://www.ads-software.com/plugins/mojo-under-construction/

Deactivating and updating worked. Without deactivating I get the same error. Thread is not resolved.

The error made me wonder if Types will remain a free component…

Hi Mark,

Actually, I don’t think your theory holds.
What was happening, as I wrote in my earlier post, is that the alerted modified files were not part of the updated files as listed on the www.ads-software.com blog. So there is no co?ncidence, something else has modified these specific files (they are really modified) while it’s clear they are all harmlessly modified, so kind of false positive, as I get exactly the same warning on exactly the same files on at least 5 very different sites.

Question remains open.

Should I post some of the modifications here?

Best regards,
Erik