Shield’s WordPress Malware Scanner Is Now Even Smarter

Blog, Features, Shield Pro, Updates

Your WordPress sites have been automatically scanned for malware since Shield Security Pro 8.0 was released.

We’ve been delivering improvements with each release, designed to refine the malware scanner and make the results more accurate and actionable.

With Shield Security Pro 8.3, we’re bringing further enhancements.

What’s new in our WordPress Malware scanner?

With Shield Security 8.0 we’ve been focused on delivering a powerful, automated malware detection system.

The first release, while it worked well, had a couple of issues.

The main issue being that false positives were showing up making the scan results noisy and sometimes troublesome to analyse.

With each new release of Shield, 8.1 and 8.2, we development enhancements that did a better job of removing many false positives automatically. This left scan results that allowed you focus and narrow down on code that was actually suspicous.

But we knew we had further to go.

To summarise, here are the improvements we’ve brought with our malware scanner:

1. Automatic Filtering of WordPress.org Core Files

This was actually in our first Malware scanner release. This is how it works:

  1. Shield discovers a file that has code that “looks like” malware.
  2. It sees that the file is a core WordPress file.
  3. Shield looks to WordPress.org and downloads the original file as it’s found on the WordPress distribution.
  4. It then compares the file on your site with that downloaded file.
  5. If the file contents are the same, then we mark the file as “legitimate” (i.e. not malware) and remove it from the scan results.

This means that Shield will never flag up a WordPress core file as having malware if the contents match the original WordPress content.

2. Automatic Filtering of WordPress.org Plugin Files

This was also in our first release and it works just like that above for core files:

  1. Shield discovers a file that has code that “looks like” malware.
  2. Shield sees that the file is inside a plugin folder, and that plugin is on WordPress.org.
  3. It looks to WordPress.org and downloads the original file as it’s found on the plugin distribution for that version.
  4. Shield compares the file on your site with that downloaded file.
  5. If the file contents are the same, then we mark the file as legitimate and remove it from the scan results.

This process actually helps remove a massive amount of false positives from your malware results before you ever see them.

3. Improved Automatic Filtering of WordPress.org Plugin Files

Each plugin on WordPress.org has a set of versions to denote releases. This works well for the most part, but unfortunately, many plugin developers don’t make use of (SVN) “tags” when they release a plugin.

If you’re not familiar with what ‘tags’ are, you can think of them as markers that states, very concretely, all the files that are released in a particular version.

Shield used those tags to download the exact files when verifying files on your site (above, step 3).

But the problem arises with plugins whose developers don’t use these tags.

We worked out a system to work around that problem, and this allows Shield to identify even more false positives and remove from results.

A huge win for our malware scanner!

4. Automatic Filtering of WordPress.org Themes Files

The system for releasing WordPress.org Plugins is quite a bit different than that for Themes.

We had focused mainly on plugins, so with Shield 8.2 we turned our attention to themes and built a similar system for filtering out more false positives.

5. Centralised Network Intelligence For Shared False Positives Scoring

This is where things start to get a little complicated, but it’s where the magic really starts.

So let’s you have a file that Shield says could maybe have Malware in it. But Shield hasn’t been able to automatically filter it out of the results using the techniques outlined above. This is because of one of the following reasons:

  1. It’s actually malware!
  2. It’s a false positive – code that only “looks like” malware but is in a plugin or theme we can’t automatically verify. e.g. Premium plugins or themes.

So what can we do? That’s where the power of the network comes into force. As administrators encounter these files, they decide whether it’s malware or not.

Each time they make a decision as to whether it’s malware by “deleting” or “ignoring” the result, it sends a signal back to our API which we then add together with the rest of other signals.

Next time a scan runs, on any site, it uses these signals to determine automatically, whether it’s safe or not.

Over time, as we receive enough signals from sites all over the world, the malware results gradually whittle down to only those that really are malware.

6. [NEW] Improved Centralised Network Intelligence

Our first iteration of our intelligence network dealt with whole files. This works well if the file never changes between each release of a premium plugin or theme.

But it has a weakness, which we’ll describe below:

  1. Imagine you install a premium plugin that has a file that gets flagged as having malware (i.e. looks like malware, but it isn’t)
  2. You check it, confirm it’s not malware, and click ‘Ignore’, and so do many other Shield admins. Eventually, Shield scanners now use this shared knowledge to filter out this file from results.
  3. Then the premium plugin gets an upgrade and the file in-question changes, but the line that has the malware-looking code is still there.
  4. This will actually mean the file will show up in results again because the contents have changed, and the process starts all over again from the beginning – go back to step 1.

What can we do to prevent this scenario and keep results like that filtered away so they don’t bother us?

This is our next improvement that comes with Shield Security 8.3.

When an admin clicks ‘Ignore’ or ‘Delete’ and sends us that signal, it’ll now send 2 signals. It’ll send a hash of the whole file (as before), but it’ll now also send a hash of the particular line that triggered the malware scanner.

Shield Network will now track individual lines, not just the whole files.

The malware scanner will be able to filter out files that contain specific lines that have already been verified as being safe.

What Makes This Improvement So Powerful?

Over time, as the network information gathers and expands, Shield admins will have access to a vast database of crowd-sourced malware signatures. Not only that, you’ll also have access to a database which will be able to detect code that “looks like malware, but isn’t”.

What we’ve learned in building our malware scanner from scratch is that knowing which code isn’t malware is just as important as being able to identify code that is malware.

As the data improves over time, with new enhancements and expanding network intelligence,we’ll be able to accurately capture malware files at a faster and faster rate.

We’re excited about where we can take this and of course we owe our forward progress to all the Shield Security admins out there who use the malware scanner and contribute to the Shield Network.

A huge thank you to you all for your contribution!

Leave a Reply

Your email address will not be published. Required fields are marked *

×