ImunifyAV – Detected Malware

Resolved Pigo3934blog
(@pigo3934blog)

4 years, 7 months ago
I was running ” ImunifyAV “ to scan all of the sites on the server.

SEE: https://www.imunify360.com/antivirus

=======

Every site with the ” EWWW ” plugin displayed a warning in ten ( 10 ) different places within the plugin for . . .

php_malware.id_SMW-HEUR-ELF

=======

Is this a ” false-positive ” ?

Look forward to your reply.
- This topic was modified 4 years, 7 months ago by Pigo3934blog.

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter Pigo3934blog
(@pigo3934blog)

4 years, 7 months ago

Can you please reply ?

Just need to know if what ” Imunify AV ” is finding is a “false-positve”, or not .
Gal Baras
(@galbaras)

4 years, 7 months ago
“HEUR” indicates a heuristic check, which may be related a virus, but not for sure.

Can you share the string that was matched in the plugin code? This troubleshooting guide may help.

Did this start from version 6.1.4?
- This reply was modified 4 years, 7 months ago by Gal Baras.
Plugin Author nosilver4u
(@nosilver4u)

4 years, 7 months ago

Also, if you can post your debug information from the support tab via pastebin.com (feel free to redact some if you like), we can verify whether you have the official binaries that are included with the plugin. But a false positive would not be at all surprising, given our past experience with AV scanners.
Thread Starter Pigo3934blog
(@pigo3934blog)

4 years, 7 months ago
Unfortunately, the code we see is obfuscated, and cannot be copied.

But here are the TEN (10) COMMON paths that have been consistently logged in various websites :

/public_html/wp-content/ewww/jpegtran

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/cwebp-fbsd

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/cwebp-linux

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/cwebp-sol

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/jpegtran-fbsd

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/jpegtran-linux

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/jpegtran-sol

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/pngquant-fbsd

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/pngquant-linux

/public_html/wp-content/plugins/ewww-image-optimizer/binaries/pngquant-sol

=============

REASON : php_malware.id_

=============

Please upload the plugin to a website and then use ” Imunify AV “ to scan the C-Panel account via the server’s WHM.

=============

Just need to know if what ” Imunify AV ” is finding is a “false-positve”, or not .

Look forward to your reply.
- This reply was modified 4 years, 7 months ago by Pigo3934blog.
- This reply was modified 4 years, 7 months ago by Pigo3934blog.
- This reply was modified 4 years, 7 months ago by Pigo3934blog.
Plugin Author nosilver4u
(@nosilver4u)

4 years, 6 months ago

Without the debug information, I can’t tell you for sure whether it’s a false positive. But unless all your sites have been hacked, it probably is a false positive.

Thread Starter Pigo3934blog
(@pigo3934blog)

4 years, 6 months ago

What is your result when you scan a C-Panel account using ” Imunify AV ” ?

Plugin Author nosilver4u
(@nosilver4u)

4 years, 6 months ago

I don’t have a cPanel account with Imunify AV and I’ve never even heard of Imunify AV until you mentioned it. Regardless, the only way to know that your binaries are safe is to verify the checksums. Until you post the debug information which contains those, we cannot verify that the binaries are the same ones I compiled and distributed with the plugin.

Alternatively, you can check them yourself against the authoritative list here: https://github.com/nosilver4u/ewww-image-optimizer/blob/c6badae0b203da1fcbb73a0319a9c2d4b4d554a0/unique.php#L1043

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘ImunifyAV – Detected Malware’ is closed to new replies.