Malware Scan

What is Malware Scanning?

Malware scanning is based on checking of the file content and trying to recognize patterns associated with known malware code. Malware code is usually obfuscated in various ways, and it is not directly readable. When you look at malware infected file, the infected part is usually easy to spot for a human, but automated tools can have a hard time deciding if the code is malware or not.

For malware scanning, you need a database of known malware patterns, and coreSecurity has one such database that is often updated.

How does malware scanning works?

Malware scanning takes the content of the file, and it than runs a series of checks (direct comparisons and regular expressions) to determine if the file contains one or more suspicious code blocks. Any time a detection is made, it is logged and that includes the file, triggered pattern and explanation, and if possible exact location in the file where it is found.

Currently, plugin contains over 400 different patterns for checking files for malware. This list will be updated regularly to make sure newly discovered malware can be detected.

Scan process takes into account only PHP files (with extensions: .php, .phtml, .php3, .php4, .php5, .inc).

Is Malware Scanner Reliable?

Malware scanner is not an exact process, and it is always evolving, because the malware software evolves and changes over time, and hackers attempt to make the malware better and harder to detect and remove.

  • Malware scanning can give many false positives, because some of the known malware used functions and patterns, can also be associated with legitimate code use.
  • Malware scanning can’t detect every type of malware, and the malware scanning patterns are often updated to include newly discovered detection patterns and to expand the malware scanning capabilities.
  • There is no guarantee that Malware Scanner will actually detect every type of malware!!!

Analyze Malware Results

Malware tab on the File Scanner tab, after the scan process is finished, will show all files that have triggered one or more malware detection patterns.

Malware Scan Results

As you can see, each file has its own box, and it is marked by the severity level and color coded. Inside the box you can see the last change date and time, and the malware score. List of triggered patterns is also listed, showing the name of the pattern and actual pattern (in red), along with the position (and line) in the affected file. When it comes to score, each pattern has own score, and these are than averaged to get you the overall file malware infection score.

There are 4 types of results ordered by the severity level.

  • Critical: Files with this score are infected by malware.
  • Major: Files with this score are very likely infected by malware
  • Minor: Files with this score may be infected by malware, but the score
  • Low: Files with this score have most likely triggered only low scoring patterns, and they usually should be safe, and not containing actual malware.

Score Calculations

Each pattern tested by the plugin has a score assigned. This score shows how dangerous problem pattern discovers really is. Many patterns have low score, because there are cases where that pattern can be triggered by the normal code pattern. For instance, pattern for detecting long base64 encoded string, that will be triggered for the base64 encoded images that are often use to embed fonts or icons. That is a legitimate use for base64, and that’s why that type of pattern has a low score. If the file only triggers this type of pattern, that file will get a Low score overall for the malware scan.

Pattern base score is the calculations starting point. But, there are other factors that are taken into account: location of the file and number of detections in the single file. If the file is located in one of the WordPress core directories or WordPress root directory, it will have higher score modifier. If the file has more than one detection, the score modifier will be higher.

The score system is tweaked and adjusted based on the patterns, file location and number of detections, and it is all

Interpreting the results

As it was said previously, malware scans can’t be 100% conclusive, especially for edge cases, where code can trigger malware pattern, but be completely safe and valid. From experience, if the file is marked as Critical, it does have malware and it should be checked by the experts to determine how to remove the malware.

Rate this article

You are not allowed to rate this post.

Leave a Comment