Is this malware?

When Shield's Malware Scanner reports potential malware, you're next question will be - "Is this really malware?"

The site administrator is best suited to answer this question, not the Shield support team, though we will certainly help however we can. More often than not, however, we'll point you to this article.

Shield Security's malware scanner looks for patterns. It's not searching for "known malware", it's searching for code that looks like malware. We dig deeper into this concept here. We'll not repeat what's written there, so we recommend you read that and then come back here.

By now you'll understand that legitimate code can get caught up on the malware scanner - these are called False Positives. Shield removes many false positives from results wherever possible, but those that remain, particularly with Premium plugins and themes will need to be assessed by the site admin.

How to determine whether a file is a false positive?

By-far the simplest way to ensure a potential malware file is a false positive is to do the following:

  1. Download a backup of the file that has been flagged in your results. If at any point something goes wrong, you'll have this file available to upload to your site as if nothing changed.
  2. Locate the original, clean version of the file. For example, if this is a premium plugin, download the original plugin zip from the distributor and extract the original file in question.
  3. Replace the suspect file that is present on your site with the original file, that you know to be clean.
  4. Re-run the malware scanner.

If the malware scanner reports the file again, then you know you have a false positive i.e. it's not really malware, but has code in it that seems to look like malware.

If you have determined a file is a false positive, then click on Ignore to remove this file from your results.

Clicking ignore will do 2 things:

  1. Report the file as a false positive to the rest of the Shield network in order to lend confidence to other admins who have the same file.
  2. Removes the files from your malware scan results so it will not be reported again (unless the file changes, e.g. due to an upgrade).

Other ways to determine whether a file is false positive or not

You can examine the file.

The results will show you the file name, and the line numbers where the patterns were detected. If you examine these and you're confident that the file is a false positive, you can click to delete it, or repair it if the option is available.

We understand that many clients may not have the technical expertise to examine PHP code - this is why we recommend the first option - resort to original distribution files to compare with. And this approach also has the added advantage of cleaning and repairing the file for you.

We also recommend you to read A Complete Guide To The Shield Security Scans here.