MScan Malware Scanner Guide

Home Forums BulletProof Security Pro MScan Malware Scanner Guide

This topic contains 2 replies, has 3 voices, and was last updated by  zmirli 4 weeks, 1 day ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #33919

    AITpro Admin
    Keymaster

    MScan Malware ScannerMScan Malware Scanner General Info

    MScan is a malware scanner that scans website files for hacker files or code and scans the WP database for hacker code. If you are looking for something that is much more advanced, automated and superior to all/any malware scanners including MScan then we have already created that in BPS Pro > AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS), which is also a file scanner, but ARQ IDPS does not scan for malicious hacker code and instead uses an unbeatable method to protect website files in real-time.

    Malware scanners are an “after the fact” security detection feature vs the ARQ IDPS scanner, which is a real-time security prevention feature. If your website is already hacked then a malware scanner will find hacker code and files and make website hack cleanup much easier and quicker to do. If your website is clean of any hacker files or code and you are using BPS Pro ARQ IDPS then your website will always remain clean of any hacker files or code since ARQ IDPS is a real-time security prevention feature that automatically autorestores files that have been tampered with and quarantines any malicious files that are uploaded to a website.

    Summary: It is important to understand the differences between MScan and ARQ IDPS so that correct usage of these two features are not misunderstood and they are used together correctly.  ARQ IDPS is by far superior to MScan and is an ongoing automated real-time website security protection feature. MScan on the other hand is a security detection tool that can be used once on first time BPS Pro installations to check for existing hacker files or randomly to scan folder or files or can be scheduled to scan files (scheduled scanning is available in BPS Pro only) on a regular ongoing basis as an additional security measure.

    Basic Info|Recommendations|Limitations|Restrictions

    It is highly recommended that you use the Scan Time Estimate Tool before running an actual scan.  The Scan Time Estimate Tool calculates the total estimated time of a scan based on your MScan Option settings without actually running a scan.

    MScan allows you to scan your entire hosting account folders and files from any of your WordPress websites installed under your hosting account.  Obviously you do not need to scan your entire hosting account folders and files from each of your WordPress websites since you would be scanning the same folders and files redundantly/unnecessarily.  See “MScan Recommended Scan Settings for Multiple WordPress Websites”.

    The default MScan settings that are automatically setup when upgrading BPS or running the Setup Wizard are setup to scan an entire Hosting Account, which will work fine for someone who has 5 or less WordPress websites installed under their hosting account (assuming an average number or plugins are installed on each site – 7-12). See “Safe Maximum File Scan Limits” below. If you have more than 5 WordPress websites installed under your hosting account then you should not attempt to scan more than 5 WordPress websites at one time.

    The MScan Log file contains extensive detailed information about all phases of scans.

    Safe Maximum File Scan Limits:
    Scanning a maximum of 10,000 files at one time (not including image files), which is equivalent to 5 WordPress websites with an average number of plugins installed should take around 120 seconds/2 minutes to complete without any problems.  You can of course try to scan more files at one time, but the chances of successful scan completion will decrease if you exceed your web host’s maximum script execution time limits. Since BPS is installed on each WordPress website you can run an MScan scan from each WordPress website and scan only each website’s files instead of trying to scan multiple WordPress websites under your hosting account at one time.  Note: We have scanned 10 WordPress sites at one time (20,000 files) and the scan completed successfully, but that is pushing our web host’s script execution time limits/restrictions.  It is not recommended that you try to scan that many files at one time.

    Web Host Script Execution Time Limits/Restrictions:
    By default most web hosts only allow a script to run a maximum of 300 seconds/5 minutes. If a scan takes longer than 300 seconds to complete it is not recommended that you increase the Max Time Limit to Scan setting. What is recommended instead is that you scan less folders and files at one time. The Scan Time Estimate Tool allows you to check whether or not you attempting to scan too many folders and files at one time or if the scan will complete without going over the Web Host maximum script execution time limitation of 300 seconds/5 minutes.

    Image File Scanning:
    Scanning image files may be problematic depending on which web host you have and most web hosts already have security protection against Exif and Stegosploit image hacking methods. Recommendation: Either do not scan image files and leave the default Image File Scan Off setting or only scan image files for each website scan individually and do not try to scan image files for multiple WordPress websites under a hosting account. Example: If you have a WordPress website that is installed in a folder named /wordpress/ then only check that Hosting Account Root Folder checkbox, choose the Image File Scan On MScan Option setting and then run a scan on the /wordpress/ folder only.

    MScan Recommended Scan Settings for Multiple WordPress Websites
    For this example I have 10 WordPress websites installed under a hosting account.  I will designate 1 WordPress website to scan its own WordPress folders and files and all other hosting account folders that are not other WordPress installation folders/sites.  I would uncheck all Hosting Account Root Folders checkboxes for any other WordPress installation folders and click the Save MScan Options button.  The other 9 WordPress websites will scan only their own WordPress folders and files.  On each of the other 9 WordPress websites I would only check the Hosting Account Root Folders checkbox for the WordPress installation folder where the WordPress website is installed and uncheck any/all other Hosting Account Root Folders checkboxes and click the Save MScan Options button.  Using these recommended MScan settings is a good method for several reasons:  You will not be scanning the same folders and files redundantly from several different WordPress websites, any suspicious files and DB entries that are detected will be specific to each site to keep things logical and orderly per WordPress site and you will be scanning a smaller number of files from each WordPress site, which means scans will complete faster and use less server resources and processing time per scan.

    Troubleshooting|Issues|Problems|FAQ:

    Please post any issues, problems, questions or suspicious code in the MScan – Troubleshooting, questions, problems and code posting forum topic.

    ARQ IDPS & MScan Scheduled Scans (BPS Pro only)
    AutoRestore|Quarantine Intrusion Detection & Prevention System (ARQ IDPS) can scan 10,000 files in around 10 seconds vs MScan Malware Scanner, which will take around 2 minutes to scan 10,000 files.  That is one of the primary reasons why ARQ IDPS is far superior to any/all malware scanners – less server resources and usage per scan – less impact on overall site performance, 100% accuracy at automatically detecting and preventing hacking attempts in real-time, etc.  So since ARQ IDPS uses relatively almost no server resources to run scans every 2 minutes then also scheduling MScan scans will not affect ARQ IDPS scans adversely/negatively in any way.  In other words, if you choose to use MScan scheduled scanning then it would be an independent additional security measure that would not negatively impact any other existing BPS Pro security features including ARQ IDPS.

    WordPress zip file download, extraction, MD5 file hash array creation and cleanup automation FAQ:
    Important Note: WordPress zip file download, extraction, MD5 file hash array creation and cleanup adds 30 seconds to overall MScan scan time.  This is one-time event that occurs on first MScan scan run and the first MScan scan that you run after upgrading your WordPress version.

    MScan checks your current version of WordPress installed and automatically downloads the WordPress version zip file for the WP version that you currently have installed.  The WordPress zip file is automatically extracted/unzipped.  A new file is created that contains all of the MD5 file hashes for all WP Core files for your current version of WordPress that you have installed.  After the MD5 file hashes file is successfully created the zip file and the extracted WordPress folders and files are automatically deleted.  This is a one-time event that will only occur once per WordPress version that is currently installed.  Example:  If you are running MScan for the first time and your current version of WordPress is 4.8 then the WP 4.8 zip file will be automatically downloaded, extracted/unzipped, MD5 file hash array created for WP 4.8 and zip, folder/file cleanup will occur.  Any additional MScan scans that you run while you have WP 4.8 installed will not download another WP zip file.  When you upgrade your WP version to a new version the automated zip download, extraction, etc. will occur again only once to create a new MD5 file hash array for your current version of WordPress that you have installed.

    Scan appeared to stop or do nothing (checking the MScan Log shows that the scan appears to have just stopped on its own):
    If you run a scan and it stops on its own for no reason then try to rerun the scan again. If the scan fails again then either you are trying to scan too many files at one time or your web host does not allow whatever you are trying to do or you are scanning images files, which will cause the scan to stop on some web hosts or there is some other issue/problem occurring.  Post any issues, problems or questions in the forum topic link above.

    Scan stopped or failed and the grey Progress Bar background CSS is still displayed:
    If a scan (regular scan or estimated scan) stops or fails prematurely before it is successfully completed due to a problem you may see the grey Progress Bar background image or the “Calculating Estimated Scan Time” or “MScan Scanning has started” message displayed. Click the Stop Scan button to reset/clear the Progress Bar, Scan Status and old displayed message. Common causes for this problem are: Image File Scan is turned On, which can cause a scan to stop or fail prematurely on some web hosts or you are trying to scan too many files at one time. Other possible causes could be that scanning a particular hosting account folder or file is causing the issue due to some problem with that folder or file. Try unchecking Hosting Account Root Folders that may be the source of the problem, save your MScan option settings and run another scan. The DB Scan Data may need to be deleted/cleared/reset in some cases before running another scan. Use the Delete DB Scan Data Tool to delete/reset your DB Scan Data.

    Estimated Scan Time FAQ Info:
    Scan times are estimated by counting the total number of files and total file size of all files to scan to get an estimated scan time completion. The estimated scan time is accurate to within 30 seconds of actual scan time completion.  If the actual scan takes much longer or takes less time than the estimated scan time for some reason you may see the grey background Progress Bar is still displayed.  Click the Stop Scan button to reset/clear the Progress Bar.  Check your MScan Log file to see if the scan completed successfully.

    A lot of WP Core files are being detected as suspicious files:
    If you are scanning multiple WordPress websites then all of those WordPress sites need to have the same WordPress version installed.  WP Core files are scanned by checking the MD5 file hashes for WP Core files.  To remove/delete any/all WP Core files that were flagged as suspicious use the Delete DB Scan Data Tool to delete all data in the View|Ignore|Delete Suspicious Files accordion tab Form.  Either upgrade the WordPress site that has another WP version installed and run another scan or do not scan that WordPress site from the site you are currently running the scan from.

    Another cause for a lot of WordPress files being detected as suspicious is you installed a WordPress Beta version of WordPress on your website at one point and left over WP Core Beta folders or files still exist.  To fix this issue you can either delete just the WP Core Beta folders or files that are being detected by MScan as suspicious or your can take your website offline and delete the entire WP Core folder (wp-admin, wp-includes, etc) and upload a new WP Core folder (wp-admin, wp-includes, etc).  Example:  WP 4.2 Beta2 created this /media/ folder with 111 files in it, but the RC and final WP 4.2 versions did not contain this folder or files.  MScan will detect these 111 as suspicious files in this WP Core folder:  /wp-includes/js/media/.  You can either just delete the /media/ folder or delete and replace the entire wp-includes folder.  To remove/delete any/all WP Core files that were flagged as suspicious use the Delete DB Scan Data Tool to delete all data in the View|Ignore|Delete Suspicious Files accordion tab Form.  Not Recommended:  You can also ignore these 111 files using the View|Ignore|Delete Suspicious Files Form.  It is definitely a better idea to delete the old Beta folders and files instead of ignoring those files.

    Skipped file scanning general FAQ Info:
    If you run a regular MScan scan and then ignore all skipped files the skipped file scan will not scan any of those skipped files since they have been ignored. If you would like to scan skipped files at a later time you would need to unignore the skipped files in the View|Ignore|Delete Suspicious Files accordion tab Form and then run a Skipped File Scan. You can also use the Delete DB Scan Data Tool to reset/clear all Form data in the View|Ignore|Delete Suspicious Files Form, run a regular MScan scan and then run a Skipped File scan.

    Image File Scan caused scan to stop/fail – remove/delete image files in the View|Ignore|Delete Suspicious Files Form:
    Scanning image files (especially extremely large image files) can cause the scan to stop/fail on some web hosts.  Most web hosts already have security protection against Exif and Stegosploit image hacking methods.  To remove/delete image files in the View|Ignore|Delete Suspicious Files Form use the Delete DB Scan Data Tool to reset/clear all Form data.  Change the MScan Scan Image Files option setting to:  Image File Scan Off and resave your MScan Option settings so that the problem does not occur again.

    Web Host Malware Scanner detects malicious code in the BPS mscan-ajax-functions.php file:
    The BPS MScan Malware Scanner contains pattern matching code in the mscan-ajax-functions.php file. The pattern matching code is used to find and match actual malicious code in any/all website files and the WordPress Database. Please contact your Web Host support and request that they whitelist or ignore the BPS mscan-ajax-functions.php file. MScan will not work correctly until your Web Host support has whitelisted or ignored the BPS mscan-ajax-functions.php file.

    #35498

    chuoiit22
    Participant

    , This is a great article. It gave me a lot of useful information. thank you very much. Link profile: http://phongkhamdakhoathegioi.vn/dieu-tri-benh-xuat-tinh-nguoc-dong.html

    #35683

    zmirli
    Participant

    USB Disk Security is a handy free tool that delivers a reasonably high level of protection against infected USB drives. Download and install the tool. When you’re ready, open USB Disk Security and select the USB Scan tab. As we are stopping malware, select the large USB Vaccine button. When you insert your backup USB drive, it will automatically scan for potential threats.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.