If I may suggest something?
Maybe it would make sense to:
- separate the libs from the signatures (whatever they are),
- make the inclusion of the signature file conditional on it existing, and
- download it should it not be present?
Otherwise – would it make sense to encrypt these signatures (using something weak, why not) to obscure them from A/V software?
Hi @ellmanncreative, thanks for your message.
You don’t have to post specifics here on the forums like domain name or IP, but may I ask what server platform and/or host this is occurring with? If you’re aware of the A/V being used, this would also be helpful but I appreciate if it’s not a server you’re administering yourself that may not be known.
This would just assist with our ability to troubleshoot whether you’re using a host that doesn’t support Wordfence, or if there are already any known steps to avoid triggering the detection on wfUtils.
Thanks,
Peter.
Unfortunately, I don’t have that info – the site in question is being hosted by a service provider (I would name-drop, since it’s not a secret – but if we work out bypasses, I’d rather not paint a target at their back).
I can’t get you anything beyond basic info – and the interesting details are obscured. I know they use ProFTPd for the FTP server, but considering that package, it probably won’t tell you much. I have SSH access, but it’s very clearly jailed, so I can’t tell you much about it either.
I tried looking up the kernel version it’s running, but – no luck on that end; best I could get was that it’s probably associated with some sort of cloud-oriented distribution, which again tells us little.
Also, I have used WordFence with this server before (on multiple deployments; it’s our initial staging location). Haven’t had issues uploading WordFence there before, so it’s either a recent change or I haven’t uploaded a new site wholesale in a while. 😉
I could try uploading it zipped, see if that triggers or not… I could also try pulling the file via server-local means (instead of pushing it via FTP). But it doesn’t change the fact that the best solution would be one that fixes the issue on WF’s end (so that this doesn’t trigger). I would rather not have to take special measures like this every time I upload a site, after all.
Hi @ellmanncreative, thank-you for the extra information.
We’ve taken a look into this, along with the reports here of other customers experiencing the same problem.
We have attempted to make contact with Malware Expert, but we cannot say for sure a timescale on getting a response/resolution. In the mean time, we recommend any customers experiencing this to tell their host that this file is not malware, and they should not be removing it.
You can inform them that our plugin can be found at https://wordpress.org/plugins/wordfence/ if they need to verify the wfUtils.php files match the originals.
Thanks again,
Peter.
Did Malware Expert create an exception? Or did you guys change things?
Because it seems to be uploading fine right now, and I’m looking at WF version 7.9.2 still.
