Title: False positive in the NextScripts SNAP plugin. Last modified: March 9, 2018 --- # False positive in the NextScripts SNAP plugin. * Resolved [NextScripts](https://wordpress.org/support/users/nextscripts/) * (@nextscripts) * [8 years, 2 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/) * Why on earth this line that removes some utf-8 characters that make mysql complain from the string variable is a “KNOWN MALWARE THREAT”??? * `$s = preg_replace('/(?>[\x00-\x1F]|\xC2[\x80-\x9F]|\xE2[\x80-\x8F]{2}|\xE2\x80[\ xA4-\xA8]|\xE2\x81[\x9F-\xAF])/', ' ', $s);` * How it be even theoretically possible for the line that REMOVES some characters from the string variable to have anything to do with any kind of malware? * Please remove that from your definitions ASAP. Viewing 5 replies - 1 through 5 (of 5 total) * Thread Starter [NextScripts](https://wordpress.org/support/users/nextscripts/) * (@nextscripts) * [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10337909) * Your latest definition is doing that again. * > Known Threats > !…/plugins/social-networks-auto-poster-facebook-twitter-g/inc/ > nxs_class_ntlist.php * If you click on “Potential threats in file: ( [1] )” it just selects the whol file? * What is that? Please **stop** finding NON-EXISTENT threats in our plugin. * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10338113) * I have installed your plugin on three of my test sites and scanned that file and your whole plugin against my current definitions and I cannot get it to come up as any kind of threat. Are you sure that the file you have has not been altered? * Can you please send me the file you have so I can check it? * Also, what threat does it say if found (hover over the numbered link “[1]” to see the threat name)? * Thread Starter [NextScripts](https://wordpress.org/support/users/nextscripts/) * (@nextscripts) * [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10338174) * SNAP – Unmodified plugin latest version: 4.2.3 * PHP: 5.6.36 Apache WordPress: 4.9.6 Plugin: 4.17.58 Key: *** Registered to: *** Definitions: I5S8r No New Definition Updates Available. * Screenshots: [https://snag.gy/IbdZ5D.jpg](https://snag.gy/IbdZ5D.jpg) [https://snag.gy/UxXJuF.jpg](https://snag.gy/UxXJuF.jpg) * Hover says some nonsense: * > exec system passthru fwrite Variable Function REQUEST * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10338339) * Thanks for all that extra info. I was able to replicate this false positive on a server with PHP v5.6, it would seem that there is a difference in Regex interpretation in different versions of PHP. I am isolating the factors that contributed to this false identification now and I will release a new definition ASAP to fix this… * Just FYI, I can see that what you are doing in this file is not malicious, but the reason that it was such a close match was that you are using a Variable Function( i.e. $fnName($postID, $nto);) where $postID is set to a _POST variable (i.e. $postID = $_POST[‘id’];). * The combination of variable functions and posted values can be extremely dangerous and is frequently used by hackers to exploit WordPress sites, but I can tell that your code is not a threat and you are using this combo in a safe and responsible way. I am sorry for mislabeling your plugin as a threat and I appreciate you working with me to correct this issue (it’s hard to find all the bad guys and not occasionally point the finger in the wrong direction ;- ) * Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/) * (@scheeeli) * [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10338407) * OK, I updated this definition and it does not match your usage any more. Please download the latest definition updates and check it in your version too and let me know if you have any other issues. I’m always happy to work with other developers to make WordPress and the web and safer place. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘False positive in the NextScripts SNAP plugin.’ is closed to new replies. * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824) * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/) * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq) * [Support Threads](https://wordpress.org/support/plugin/gotmls/) * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/) * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/) * 5 replies * 2 participants * Last reply from: [Eli](https://wordpress.org/support/users/scheeeli/) * Last activity: [7 years, 11 months ago](https://wordpress.org/support/topic/false-positive-in-the-nextscripts-snap-plugin/#post-10338407) * Status: resolved