CLAM AV Scanner is detecting a HIDE MY WP "Virus Signature"

[turner2f]

Love the plugin. We have purchased probably 20 copies.

=======

Since October 2017 our automated DB backups have been getting deleted from the server whenever CLAMAV ( on C-panel ) runs its “virus scanner” .

After about 18 hours of trial testing we have found that the “HMWP” plugin is permanently inserting what CLAMAV believes to be a “virus signature” within the “WP-Options” database table.

In “putty” it says, “wp_option.MYD: YARA.eval_post.UNOFFICIAL”.

https://serverfault.com/questions/862536/what-is-yara-eval-post-unofficial-and-what-should-i-do-about-it

Turning off or deleting the HMWP plugin does not resolve the issue. Once HMWP is activated the “virus signature” is embedded somewhere within the “WP-Options” database table.

So the ONLY way to get rid of the “virus signature” is to roll-back our database to a time before HMWP was installed.

=============

Unfortunately, we cannot find where this “virus signature” is within the “wp-options” database table.

And until this gets resolved we cannot keep using HMWP since the “virus signature” is causing our backups to be deleted by CLAMAV.

=============

At least one of two things has happened here….

1) – CLAMAV Scanner ( in C-Panel ) has added a NEW list of signatures to look for that are detecting a “virus signature” from HMWP within the “wp-options” database table

2) – HMWP acquired a “signature” within the plugin during its update. Again, this phenomena began in October 2017.

=============

We found this “virus signature” by running a command line for the CLAMAV Scanner using “putty” :

https://linux.die.net/man/1/clamscan

Make sure to backup the database and download it to your desktop before attempting to run the scanner.

The command you want to use would be something like this:…

clamscan -r –remove=no /var/lib/mysql/user_database

(where user_database is the actual database name)

=============

Thanks in advance.

Please send a copy of HMWP prior to October 2017 so we can test it against Clam AV Scanner.

[turner2f]

Here are two links that might help…

https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature

https://www.clamav.net/documents/potentially-unwanted-applications-pua

[turner2f]

TICKET UPDATE:

The CLAMAV virus definitions are picking up “virus signatures” no matter what version of HMWP we use.

What exactly is HMWP inserting into the WP-Options database table ?

And how do we delete the signature ?

Or is this a false positive ?

If so, how do we get CLAMAV to ignore the specific false positive ( virus signature ) that is being inserted by HMWP ?

=============

Need help with this so that our auto-db backups are not being deleted by CLAMAV during the virus scan .

• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.

[Suman M.]

Hi, thanks!
HMWP doesn’t insert any virus signature in the database.

Please do these:

1) In “wp_options” table in your database, delete the rows (that HMWP adds) with following “option_name”. Please backup your database first.
– hide_my_wp
– hide_my_wp_undo
– hmwp_ids_installed
– hmw_all_plugins
– external_updates-hide_my_wp
– hmwp_spam_counter
– hmwp_temp_admin_path

2) disable HMWP plugin and check the issue.

If the issue still remains then it’s not related to HMWP.

You can also try installing HMWP in the new test site where CLAMAV Scanner is not removing DB backups.

[turner2f]

Thanks for the reply.

Does your CLAMAV have the latest “virus definitions” ?

You can update the CLAMAV virus definitions by opening up “putty” and running the command line : freshclam

=======

1) – I will test by deleting the tables.

2) – What “new test site” are you referring to ?

[Suman M.]

2) I mean to try replicating the issue in the new wordpress website

[turner2f]

UPDATE:

In “wp_options” table in our database, we deleted the rows (that HMWP adds) with following “option_name”.

We installed HMWP version 2.5.1 :

– hide_my_wp ( FOUND and DELETED )
– hide_my_wp_undo (NOT FOUND )
– hmwp_ids_installed (NOT FOUND )
– hmw_all_plugins ( FOUND and DELETED )
– external_updates-hide_my_wp (NOT FOUND )
– hmwp_spam_counter (NOT FOUND )
– hmwp_temp_admin_path (NOT FOUND )

===============

Result CLAM AV still shows that the database is infected.

===============

Please note :

This ONLY occurs when HMWP is “activated”.

And even when UN-installed the database is still showing up as “infected”.

We even tested this without any other plugin installed.

===============

IMPORTANT QUESTION:

IF this is a “false positive” within the “wp_options” table, is there a way to get CLAM AV to ignore “HMWP” within the “wp_options” table ?

HMWP has been very important to our online WP security, at the same time we also need the ability to have our auto DB backups intact .

We purchased 20+ licenses, and plan to buy more.

Look forward to your reply.

• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.

[Suman M.]

Please use latest version of HMWP plugin (5.5.5).

These 2 statements are conflicting:
1) This ONLY occurs when HMWP is “activated”.
2) And even when UN-installed the database is still showing up as “infected”.

As per statement 2, it seems like the issue is not related to HMWP. By the way, did you test in fresh site? Please test in fresh site, first without installing HMWP. If virus scan works fine then install and activate HMWP and then check the result.

[turner2f]

Thanks for the reply.

1) – Yes, we already tested on a fresh site.

2) – The 2 statements are not conflicting.

Because as mentioned for #2 ( ” AND EVEN WHEN UN-installed the database is STILL showing up as infected” ).

In other words, HMWP is leaving behind a “virus signature” somewhere within the “wp_options” table EVEN AFTER it is UN-installed and deleted.

============

IMPORTANT NOTE:

This ONLY happens after activating HMWP.

This is not occurring with any other plugin.

============

IMPORTANT QUESTION:

IF this is a “false positive” within the “wp_options” table, is there a way to get CLAM AV to ignore “HMWP” within the “wp_options” table ?

—

• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.
• This reply was modified 7 years ago by turner2f.

[Suman M.]

Hi, I’ve assigned this ticket to Dev. Team so that they can look further into it. Vikas will get back to you on this.

[turner2f]

Thanks.

[Vikas Singhal]

Please try to clear the IDS logs and see if the value is still in the database?

[turner2f]

Hello. I just saw your reply here. I did not receive an email notification.

What I need to know is how do I clear the IDS logs ?

===========

1) – So I should keep the plugin activated ?

2) – Clear the IDS logs ?

3) – And then run Clam AV on the database via C-Panel ?

===========

I would be using the following command line using “putty”

clamscan -r –remove=no /var/lib/mysql/user_database

(where user_database is the actual database name)

===========

Look forward to your reply.

• This reply was modified 6 years, 12 months ago by turner2f.
• This reply was modified 6 years, 12 months ago by turner2f.
• This reply was modified 6 years, 12 months ago by turner2f.

[Vikas Singhal]

I meant to clear the logs in HMWP IDS logs. Go to IDS Firewall > Delete IDS logs and then rescan the database. Hope that makes sense.

[turner2f]

I cleared out the IDS log.

CLAM AV Scanner is still detecting a virus signature.

[Author]

Posts