Shield Pro’s Malware Scanner Gets Smarter With Network Intelligence

Blog, Features, Shield Pro

We released the first version of Shield’s WordPress malware scanner at the end of August. Since then we’ve been hard at work to improve the scanner from every angle.

The first of those improvements was in the scanning architecture itself, and this arrived with Shield Pro 8.1. For our next release, 8.2, we’ve been working on the malware scan results themselves.

As we outlined before, the malware scanner identifies “code patterns” that “look” like malware.

This has a huge advantage over other approaches: Shield is more likely to detect bespoke, and never-before-seen malware. If any code exists on your site, and it’s using common malware tricks, Shield will find it.

Think of your normal, everyday antivirus scanner. They have, of course, virus signatures on their database, but they also have virus scanning heuristics that allow them to catch viruses they’ve never “seen” before.

It’s the same idea with Shield’s malware scanner.

When Shield reports a file as being malware, and it actually isn’t, this is called a false positive. Unfortunately these are quite common and are causing undue work for site admins.

So what can we do about these false positive results that only look like malware? Can we be smarter about identifying them?

Yes, and that’s what Shield 8.2 is all about.

New: Shield Pro’s Network Security Intelligence

Some of you may have noticed our earlier mentions of WPHashes.com. We’ve extended this API to allow us to do some funky stuff with Shield Security malware scanning, too.

We set up this API to provide networked intelligence that lets everyone share information about which files are malware, and which ones aren’t.

When Shield scans a site for malware, it’ll report false positives that it’s found and at the same time, request the list of false positives that the rest of the network has also discovered.

It uses this data to determine which files are likely to contain malware.

But the network data of false positives isn’t just a simple list. It also contains a confidence score that a file is a false positive. This score is based on the reporting from the entire network.

The higher the confidence level, the more likely that the file is a false positive and it can be ignored and even excluded from your results altogether.

Using your preferred minimum confidence threshold (that you can adjust) Shield will filter out scan results so you don’t need to bother with it.

How The ‘False Positive’ Confidence Threshold Works

This can get a little confusing, but hopefully we can clarify it a bit. Here goes…

  • A false positive is when the scanner incorrectly detects malware in a file (i.e. the file is clean)
  • ‘False positive’ confidence is how sure the “network” is that the file is actually a false positive.
  • This confidence level comes from the network, with all the other sites reporting on whether a file is, or is not, malware.
  • This setting allows you to set your preferred minimum confidence level for the scanner, when deciding whether to ignore a scan result.

For example, let’s say you select “Low” as your minimum threshold. This means that if the scanner finds a file, and the network says the likelihood that it’s a false positive is Low, Medium, or High, the scanner will ignore the file.

But let’s say that you select “High”, as your minimum threshold. If the network looks at a file and says it’s a “low” confidence of being a false positive, then the scanner wont ignore the file and it will be reported to you.

Special cases in this setting are ‘Full’ and ‘None.

Full is where you require complete, 100%, confidence that the network believes a file is a false positive before the scanner will ignore it.

‘None’ is when you decide to opt-out of the Network entirely (see below).

Privacy and Anonymity of Shield’s Network Intelligence

So the first thing you’ll want to know is: what information does the Shield Network gather and what information do we collect about you, from the reports of the malware scanner?

Absolutely no information about you, or your site is collected.

Our API receives and stores the following information:

  • file name (not the full path, just the last part of the name, e.g. malwarefile.php)
  • the SHA1 hash of the file (this is a 1-way hash, so any information inside the file can never be recovered)
  • whether you consider the file a false positive, or malware.

And that’s it. We’re not in the business of collecting and harvesting personal information.

What about your IP address when your server sends us a report?

Sure, we could collect it. But there’s no good reason to do so, and so we don’t.

We do, however, use the IP (along with the data sent) to create a unique fingerprint hash that helps us prevent duplicate reports. And like any hash, this is a 1-way process, so there’s no way to extract an IP address from it.

Do You Have The Option To Disable Network Intelligence?

Absolutely! You can set this using the options inside Shield.

As mentioned earlier, our API provides confidence levels about the likelihood of a file being a false positive result.

This confidence level is obtained from the network as each site reports in about its results.

You can decide what your threshold is for false positives. One option you have is to completely opt-out of the information gathered from the network.

When you choose this option, your site won’t contribute information to the network, and it’ll also not receive information either. It’ll be entirely up to you to decide whether a result from the scan is, or is not, malware.

As we’ve said, no information that could ever identify you is retained by us and we only store the specific malware scan information that will assist other sites on the network, and yourself.

We believe in the power of the network and we encourage you to take part, but you always have the option to reject it.

When Is Shield Pro’s Network Intelligence Ready?

This network intelligence only applies to Shield Pro and its malware scanner. There is, currently, no other feature within Shield that uses this.

It’ll be immediately available on any Shield Pro site that uses the malware scanner from version 8.2 onward. This is scheduled for release in early October 2019.

Question and Suggestions

If you have any questions, comments, or suggestions about anything raised in this article, please do feel free to drop us a message in the comments area below.

Your feedback, suggestions, and even words of encouragement are always welcome.

Of course, if you want to upgrade your Shield Security to Pro, you can upgrade here at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *

×