• Resolved BeoR4

    (@rr44)


    Hello,

    Is it possible to know which plugins are in the definitions list?

    That way we can work out if our core plugins will be protected by the MD5s or whatever it is you compare.

    Many thanks indeed!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Eli

    (@scheeeli)

    I don’t put plugins on any definition list. The various threat definition are used to identify malicious code in any file, regardless of what directory it’s in (plugins or otherwise).

    The definition white-list is used to omit files that match a safe md5 hash (these files may otherwise have been flagged as malware but later found to be safe).

    The Core Files definition are used to compare WP Core Files with the original installation source and search for alteration to the files, but that feature does not extend to plugins or themes.

    Please let me know if you have any more questions.

    Ahaaa… I had the mental image of the plugin crowdsourcing MD5s of installed plugin versions and benchmarking individual installations against them to look for suspect plugins. I guess my mental image of the wordpress core comparison functionality is what made my mind make too many assumptions.

    Many thanks for expanding the detail.

    My mistake does sound like a good idea though! Pretty simple and bullet proof in what it would be limited to (esp as you already have a large install base according to this site).

    Or am I missing something?

    Plugin Author Eli

    (@scheeeli)

    It not a bad idea, and I have considered it in the past. The biggest thing that keeps me from white-listing plugin files just because they match the origin install source is that there are sometimes plugins that contain malicious code or a security vulnerability in the source code that is available for download and the WordPress community (and sometimes the developer too) is unaware of the threat until it is discovered by another developer or a plugin like mine.

    There are also many plugin developers that do a poor job of maintaining the consistency of their own trunk and don’t know how to use the tags path correctly so it makes it hard for a 3rd-party like me to trust that the information in the repository correctly reflects the plugin files found on sites that have installed these plugins. It is also common for plugins to write new files into their own path after install and these cannot be assumed to be maliciously added or you would have too many false positives for that kind of scan to be trusted.

    Your thinking makes sense. A good idea in an impractically perfect world that doesn’t exist LoL

    But, thinking probabilistically, perhaps an alternative approach to “whitelisting” would be scoring? Less binary and would allow for this.

    I am not familiar enough with what you see. Your instincts will be able to interpret and contextualise what I am thinking. Might be just as irrelevant.

    Many thanks again

    Plugin Author Eli

    (@scheeeli)

    Those are good ideas. I have been wanting to integrate a ranking system for a while now but it would be a fundamental shift in my scan engine and I just haven’t had the time to prioritize it.

    More than understand 🙂

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.