YARA scan/ false positive?

  • programmin

    (@programmin)


    3 days, 5 hours ago

    YARA scan shows this plugin’s files as a webshell… in /wp-snapshots/XYZ…BAK_(long-idenifier)_installer.php

    I’m thinking this is a false-positive, and is secure as long as someone doesn’t guess that long-identifier and decide to call a backup restore somehow?

Viewing 1 replies (of 1 total)
  • Plugin Support mohammedeisa

    (@mohammedeisa)

    3 days, 3 hours ago

    Hi @programmin ,

    Thanks for flagging this.

    This is a false positive. Duplicator’s installer.php is a legitimate restore script that gets flagged by security scanners because it has powerful capabilities by design (file access, database interaction, etc.), the same traits scanners look for in webshells.

    A couple of things worth noting:

    • The /wp-snapshots/ directory you’re seeing is from an older version of Duplicator — it no longer exists in current releases. This suggests your plugin is out of date.
    • Duplicator includes a cleanup step at the end of the restore process that removes the installer and archive files. If you see an installer.php sitting around, make sure you complete that cleanup step after any restore.

    We’d recommend updating Duplicator to the latest version to get the most recent security improvements and stay on the supported path.

    Hope that helps!

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.