Too many false positive malware results!

We sometimes hear that some people are not satisfied with the numbers of false positives in their malware scan results.

Firstly, we want to say that we aren't ignorant of this and don't disregard this issue. We have put in an immense amount of effort to eliminate false positives as much as possible. But there is room for improvement. In this article we'll outline what and why, and where improvements can be made, with your help.

Why do you get false positives?

False positives are where the scanner spots content in a file that matches a typical malware pattern. It may be malware, and it may not be malware.

If it's not malware, then this is a "false positive".

How does Shield handle false positives?

Shield will try to automatically remove irrelevant false positives from your results so you never have to be bothered by them.

The main method is to examine the original contents of files from WordPress.org plugins and themes to determine whether the code is the same as the original, or not.  This is to say that if the file from the scan result is identical to the file originally released in that plugin/theme from WordPress.org, then we can safely disregard this false positive and never show it to you.

That's great for WordPress.org plugins and themes (because we can examine the original code). Shield is doing this automatically every time you do a scan.

If Shield can't verify the original file content, it can't hide the result.

This is particularly true of premium plugins and themes. Since we can't verify original files from premium plugins and themes, we can't hide those false positive results.

What other ways do we have of removing False Positives?

When an admin clicks to "Ignore" a false positive, this gets sent to us and we record it. Each time it happens, we build up a knowledgebase of false positives (and also results that aren't - i.e when an admin clicks to repair or delete).

So we have a measure called "False positive confidence" - a confidence level where the "network" says this result is a false positive.

The higher the confidence score, the more likely the file is "okay". The lower the score, the less we know about the file's contents and you should investigate it using the links/tools in the scan results table.

What can we do about premium plugins and themes?

We add premium plugins and themes to our database so we can help to eliminate false positives for them also. 

We do this with our WP Hashes project and scan everything where possible. 

What if you're really sick of the false positive results?

Sadly, then, your only option is to switch off the feature.