Home › Forums › BulletProof Security Pro › MScan Malware Scanner Guide
Tagged: Malware Scanner, MScan
- This topic has 29 replies, 9 voices, and was last updated 5 months, 1 week ago by alexreynolds.
-
AuthorPosts
-
AITpro AdminKeymaster
MScan Malware Scanner General Info
MScan is a malware scanner that scans website files for hacker files or code and scans the WP database for hacker code. If you are looking for something that is much more advanced, automated and superior to all/any malware scanners including MScan then we have already created that in BPS Pro > AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS), which is also a file scanner, but ARQ IDPS does not scan for malicious hacker code and instead uses an unbeatable method to protect website files in real-time.
MScan has been completely rebuilt in BPS Pro 15.4 and BPS 4.9. MScan now uses file hash comparisons for all WP files (WP Core, Plugins and Themes). File hash comparisons are 100% accurate, which means no false positives will occur for any WP files. All other non-WP files are scanned using standard conventional pattern matching, but now that WP Files are all scanned with file hash comparisons this allowed increasing the detection sensitivity for pattern matching scanning. Additional pattern matching rules have been added to MScan.
MScan Question Mark Help Info
MScan General Info
MScan scans WP Core, Plugin and Theme files using file hash comparisons, which is 100% accurate vs conventional pattern matching, which is typically around 75% – 85% accurate. MScan scans all other website files (non-WordPress files) using conventional pattern matching scanning. The pattern matching code is much more extensive in MScan and will hopefully achieve a 95% or higher detection rate. False positives are inevitable when using conventional pattern matching scanning, but since MScan uses file hash comparison scanning for all WP Core, Plugin and Theme files then there will not be any false positives detected for any/all WordPress files (WP Core, Plugins and Themes). MScan automatically downloads WordPress, Plugin and Theme zip files, extracts the zip files, creates file hashes for all files and then deletes the zip files and all extracted folders and files. WP Core, Plugin and Theme zip downloads only occur on the first MScan scan or when a new WordPress, Plugin or Theme version is installed/updated or when the Delete File Hashes Tool is used.File Hash Maker
If new WP Core, Plugin or Theme zip files need to be downloaded and processed you will see the see the “File Hash Maker Time Remaining: 00:00:00: Downloading and extracting zip files” scan status. Once the File Hash Maker has completed it will display the number of zip files processed. Click the Start Scan button after the File Hash Maker has completed to scan files. Note: File scanning does not occur when the File Hash Maker is running to prevent false positive file hash mismatches.Scanning Other WordPress Sites
Website folder checkboxes cannot be checked for other WordPress sites under your hosting account. To scan other WordPress sites under your hosting account run MScan from each site. There are several technical reasons for doing this: Each site may have a different version of WordPress installed and different Plugins and Themes installed. MScan now uses file hash comparisons for each individual site based on the WordPress, Plugin and Theme versions installed on each individual website.Calculating Scan Time Exceeded: Still calculating estimated scan time
If you see “Calculating Scan Time Exceeded: Still calculating estimated scan time” this means that the current scan time estimate is taking longer than expected. The scan will still complete successfully.Processing Total File Count
If you see “Processing Total File Count: Still scanning files” that means that the current scan that you are running has not yet processed the total number of files to scan yet. The scan will complete successfully.Error: Files found in the plugin-hashes folder
If you see “Total Files Scanned: Error: Files found in the plugin-hashes folder” that means that files (and probably folders too) were found in the /wp-content/bps-backup/plugin-hashes/ folder. This problem could be caused by uploading a plugin zip file that does not extract the entire plugin folder and instead extracts individual plugin folders and files. To fix this problem you will need to use FTP or your web host control panel file manager and delete all folders and files in the /plugin-hashes/ folder except for this file: plugin-hashes.php. To correctly make a plugin zip file that extracts the entire plugin folder you would right mouse click on the plugin folder, click “send to” and then click “Compressed (zipped) folder” on Windows.Error: Files found in the theme-hashes folder
If you see “Total Files Scanned: Error: Files found in the theme-hashes folder” that means that files (and probably folders too) were found in the /wp-content/bps-backup/theme-hashes/ folder. This problem could be caused by uploading a theme zip file that does not extract the entire theme folder and instead extracts individual theme folders and files. To fix this problem you will need to use FTP or your web host control panel file manager and delete all folders and files in the /theme-hashes/ folder except for this file: theme-hashes.php. To correctly make a theme zip file that extracts the entire theme folder you would right mouse click on the theme folder, click “send to” and then click “Compressed (zipped) folder” on Windows.Start Scan
Clicking the Start Scan button starts a scan.Stop Scan
Clicking the Stop Scan button stops a scan. You can also deactivate and activate the BPS Pro plugin on the WordPress Plugins page to stop a scan.Reset MScan
The Reset MScan button resets/deletes these things: MScan Status option values: The Scan Completed timestamp, Total Scan Time, Total Files Scanned, Skipped Files, Suspicious Files and Suspicious DB Entries status values will be deleted and will either display blank or 0. The scan data in the View|Ignore|Delete Suspicious Files and View|Ignore Suspicious DB Entries Forms will be deleted.Website Folders & Files To Scan
Checking a checkbox means scan that folder. Unchecking a checkbox means do not scan that folder. “Giving WordPress Its Own Directory” site types: All scannable parent folders will be listed along with your WP installation folders. Both parent folders and files and WP installation folders and files that you select/check will be scanned. All other site types: All folders in your WP installation folder will be listed. All folders and files in your WP installation folder that you select/check will be scanned.Max File Size Limit to Scan
Files that are larger than the default file size setting of 1000KB will be skipped by default in a regular scan and can be scanned using a Skipped File scan. You can change the max file size limit option setting to a larger max file size limit.Max Time Limit to Scan
The default time limit for script execution on most web hosts is 300 seconds. The default time limit setting for MScan scanning is also set to 300 seconds. It is not recommended that you increase the time limit higher than 300 seconds.Exclude Individual Folders
Enter relative folder paths one folder path per line. A relative folder path is this: /some-folder/some-subfolder. A literal path would be the full server path: /xxxxx/xxxxx/public_html/wordpress/some-folder/some-subfolder. Important Note: Add at least 2 folders in the path. The reason for that is if you just enter 1 folder name/path it could match other folder names somewhere else under your website folders. Example: If you only entered The folder path/name /cache/ it would match all folders named /cache/. If you add the folder name/path: /wp-content/cache/ it would only match this particular cache folder under the wp-content folder.Scan Database
When Database scan is turned on your WordPress database will be scanned for suspicious code.Scan Skipped Files Only
Skipped files are files that are larger than the “Max File Size Limit to Scan” option setting file size. The default file size setting is 400KB. When Skipped File Scan is On only skipped files will be scanned. Note: No other MScan option settings have any effect while Skipped File Scan is set to On.Automatically Delete /tmp Files
When Delete Tmp Files is On, all temporary files will be deleted. Hackers commonly hide hacker files in the /tmp folder.Exclude /tmp Files
Enter 1 file name per line. Some web hosts store files such as, mysql.sock, .s.PGSQL.5432 and .per-user in the /tmp folder. These files cannot be deleted by MScan, but attempting to delete these files will generate php errors. To prevent php errors from occurring you would exclude files such as these using the MScan Exclude /tmp files option setting. You will need to ask your web host for the names of those tmp files to exclude.Scheduled Scan Frequency
You can choose to schedule ongoing automated scans. Note: The BPS Pro ARQ IDPS scanner is far superior to any/all Malware scanners including BPS Pro MScan. You can of course use both ARQ IDPS and MScan scheduled scans together.Delete File Hashes Tool
This tool allows you to delete the Plugin and Theme file hashes. This tool should ONLY be used if there is a problem when scanning Plugin and Theme files. Usages: If you downgrade a plugin to an older version then use this tool to delete Plugin and Theme file hashes. If the MScan file hash comparison results display a large number of Plugin or Theme files as suspicious: Example: Suspicious|Modified|Unknown Plugin or Theme file then use this tool to delete all Plugin and Theme file hashes. After using this tool, the next MScan scan that you perform will download new Plugin and Theme zip files, extract them, make new Plugin and Theme file hashes and then delete the zip files. Important Note: You should also click the MScan Reset button after using this tool to remove any old/bad scan data.Upload Plugin Zip Files
You can upload multiple zip files at the same time by using your Ctrl or Shift keyboard keys on Windows. This upload form allows you to upload premium, paid and custom plugin zip files that are not in the WordPress Plugin Repository on wordpress.org. MScan will automatically extract any uploaded plugin zip files, create file hashes and delete the plugin zip files on the next MScan scan. If you do not choose to upload premium, paid and custom plugin zip files then those premium, paid and custom plugin files will not be scanned. Important Note: Plugin zip files MUST be named/renamed using the version number in this exact format: plugin-name.x.x.zip where x is the actual current plugin version number. The reason for that is MScan keeps track of the version numbers for plugins in order to create new plugin file hashes for newer versions of plugins when you update them. This process is completely automated for any/all free plugins that you have installed from the WordPress Plugin Repository on wordpress.org. Important Note: Some plugin zip files in the WP Plugin Repository are not named with a version number. If you would like to scan those plugins you will need to download the plugin zip file and rename it using this exact format: plugin-name.x.x.zip and then upload the renamed plugin zip file.Upload Theme Zip Files
You can upload multiple zip files at the same time by using your Ctrl or Shift keyboard keys on Windows. This upload form allows you to upload premium, paid and custom theme zip files that are not in the WordPress Theme Repository on wordpress.org. MScan will automatically extract any uploaded theme zip files, create file hashes and delete the theme zip files on the next MScan scan. If you do not choose to upload premium, paid and custom theme zip files then those premium, paid and custom theme files will not be scanned. Important Note: Theme zip files MUST be named/renamed using the version number in this exact format: theme-name.x.x.zip where x is the actual current theme version number. The reason for that is MScan keeps track of the version numbers for themes in order to create new theme file hashes for newer versions of themes when you update them. This process is completely automated for any/all free themes that you have installed from the WordPress Theme Repository on wordpress.org. Important Note: Some theme zip files in the WP Theme Repository are not named with a version number. If you would like to scan those themes you will need to download the theme zip file and rename it using this exact format: theme-name.x.x.zip and then upload the renamed theme zip file. Child Themes are a custom Theme. Zip a known good/clean copy of your Child Theme folder and upload it if you would like your Child Theme files scanned. Use the same zip file naming convention: theme-name-child.x.x.zip.View|Ignore|Delete Suspicious Files
This form allows you to view, ignore, unignore or delete suspicious and skipped files. If you are not sure if code is malicious or safe you can copy the code and post the code in the MScan Troubleshooting & Code Posting form topic. See the link above. If you are unsure if a file is a hacker file or not then download a copy of that file before deleting it. When you ignore a file it will no longer be scanned in any future scans. When you unignore an ignored file it will be scanned in future scans.View|Ignore Suspicious DB Entries
This form allows you to view, ignore or unignore suspicious DB Entries. Note: The view option displays the DB Table, Column, Row ID and the MScan Pattern Match that was detected by the MScan scan. Use phpMyAdmin or a similar tool to check your database Row where the suspicious code was found. When you ignore a DB Entry it will no longer be scanned in any future scans. When you unignore an ignored DB Entry it will be scanned in future scans.MScan Report Question Mark Help Info
MScan Report General Information
After running a scan your extensive scan results data is displayed on this tab page. If you would like to save your scan results data click the Save MScan Report button. You can save up to 20 scan reports. You can view or delete scan reports on the MScan Saved Reports tab page using the MScan Saved Reports Form.No File Hashes for This Plugin or No File Hashes for This Theme
If you see either of these status messages under Plugin File Hashes or Theme File Hashes then go to the main MScan tab page, click the MScan Question Mark help button and read the “Upload Plugin Zip Files” or “Upload Theme Zip Files” help section.MScan Saved Reports Question Mark Help Info
MScan Saved Reports General Information
You can save up to 20 scan reports. You can view or delete scan reports. If you would like to view a saved scan report select the View Report checkbox for the scan report you would like to view and click the View|Delete Reports button. Scan report data is displayed below the MScan Saved Reports Form. If you would like to delete a saved scan report select the Delete Report checkbox for the scan report you would like to delete and click the View|Delete Reports button. Refresh/reload the MScan Saved Reports tab page when deleting scan reports to see the current MScan Saved Reports Form data.Terri ZxParticipantHow do the features of MScan compare to WPScan? I know the latter keeps a hand-curated database, but if MScan would find those vulnerabilities anyway, then I wouldn’t need WPScan, correct?
AITpro AdminKeymasterSorry for the late response. 😉 Anything Sucuri creates is going to be really good. I’ve not played around with WPScan, but it’s probably really good – the Sucuri guys/gals are the real deal. I spent a few months rebuilding BPS MScan and it’s pretty solid at this point, but yeah nothing is ever perfect… 😉 The core scanning engine in MScan is really solid, but the gimmicky stuff needs some additional work. So I really can’t answer the question until I take WPScan for a test drive. I’ll do that over the weekend and let you know what I think.
Terri ZxParticipantI didn’t know Sucuri was behind WPScan!
Thanks for taking a look. You da best! 🙂
Peace,
Terri ZTerri ZxParticipantHi again,
I’ve been rolling out use of MScan across more of my client’s sites. I usually encounter a few suspect files and a handful or two suspicious database entries. But on one site, I’m getting what looks like hundreds of suspicious database entries. Most of them are flagging content that has “<iframe…”. This client’s site displays videos recorded at YouTube and Vimeo – via iframe. Is there a way to tell MScan to skip certain database content?
(Also, any progress on your WPScan test drive?)
Thanks!
Terri Z
AITpro AdminKeymasterYou can either choose not to scan the database by changing this MScan option setting: Scan Database > Database Scan Off or you can check the Ignore DB Entry checkboxes under the > View|Ignore Suspicious DB Entries accordion tab/button. Ignoring db entries is the same as skipping them.
Regarding the difference between MScan and WPScan: MScan is a conventional malware scanner and WPScan Catalogs known WordPress Core Vulnerabilities, Plugin Vulnerabilities and Theme Vulnerabilities and then checks your site’s WP version, plugins and themes against their DB of known vulnerabilities.
The rebuild of MScan got MScan to a place that is satisfactory to me, but yeah it is only a malware scanner. All malware scanners are beatable because hackers intentionally create obfuscated code that is not detectable by malware scanners. Malware scanners should used as a tool to aid in website/hosting account hack and not be relied on to detect or clean up a hosting account of all hacker files/code. The only 100% reliable way to clean up a hacked hosting account is to do it manually using these steps > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/ , which are luckily very quick and simple to do.
AutoRestore|Quarantine is far superior to MScan and all other malware scanners since it uses a different method to check files vs conventional malware scanners, but in order for AutoRestore|Quarantine to be effective a hosting account needs to be 100% clean of all hacker files/code.
Terri ZxParticipantThanks for the explanation! Appreciated 🙂
Terri ZxParticipantHello again,
I’m going to have to turn off the MScan database scan off – my client has many posts, built by Divi, that include <noscript> text for those who don’t have javascript turned on. Every time a new one appears, I get an MScan alert. It’s too time-consuming to go in and ignore them.
I really wish I could tell the database scan that <iframe> and <noscript> are ok and can be automatically ignored. Just sayin’ 😉
I suppose that file changes are likely more important and would catch any malicious code that might be able to get access to the database.
AITpro AdminKeymasterYes, you are correct that most hacks occur at the file level first. Once a hacker has uploaded a file to your hosting account they then hack the WP DB and add hacker code in the DB. The only exception to that hacking method is Spam Link Injection hacks, which are directly injected into your database due to a security vulnerability in a Plugin or Theme. So it is fine to turn Off DB scans. It is very rare that a hacker will add hacker code in the WP DB. So scanning the DB is not really necessary to do.
Terri ZxParticipantCool, thanks for the explanation. Turning it off!!
JWoods006ParticipantI have just downloaded BPS. Set it up as best I can tell. I have run the MScan… it pops up a separate window that shows nothing… sits for a a while then gives a 403 error and says:
Forbidden
You don’t have permission to access this resource.Server unable to read htaccess file, denying access to be safe.
I have tried this a few times. It does not tell me what I dont have access to but will not scan anything. Every other part of BPS seems fine. What can I do to correct this?
thank you
AITpro AdminKeymaster@ JWoods006 – This sounds like a file permissions or Ownership problem.
Go to the BPS > System Info page > File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID table (bottom right table) > copy the entire table contents and post it in your forum reply (don’t worry about formatting the table contents – I’ll do that).
JWoods006ParticipantFile Path
Folder PathRecommended
PermissionsCurrent
PermissionsScript Owner
User ID (UID)File Owner
User ID../ 705 0755 1160 1160 ../.htaccess 404 0604 1160 1160 ../wp-config.php 604 0604 1160 1160 ../index.php 604 0604 1160 1160 ../wp-blog-header.php 604 0604 1160 1160 ../wp-admin 705 0705 1160 1160 ../wp-includes 705 0705 1160 1160 ../wp-content 705 0705 1160 1160 ../wp-content/plugins 705 0705 1160 1160 ../wp-content/themes 705 0705 1160 1160 ../wp-content/uploads 705 0705 1160 1160 ../wp-content/upgrade 755 0755 1160 1160 ../wp-content/mu-plugins 705 0705 1160 1160 ../wp-content/bps-backup 705 0705 1160 1160 ../wp-content/bps-backup/logs 705 0705 1160 1160 ../wp-content/bps-backup/master-backups 705 0705 1160 1160 ../wp-content/bps-backup/mscan 705 0705 1160 1160 ../wp-content/bps-backup/wp-hashes 705 0705 1160 1160 /tmp — 1777 0 0 ../wp-content/bps-backup/backups_vItmAxqOTf0Mo1c 705 0705 1160 1160 Also, i did not see this before, but on the same page in the “Website|Server|Opcode Cache|Accelerators|IP Info”
Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No):
ERROR: wp_remote_get() function is blocked or unable to get the URL path
: mod_access_compat is not Loaded|IfModule: Yes
403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
200: mod_rewrite Module is Loaded|IfModule: Yes
403: mod_security2 Module is Loaded|Enabled|IfModule: YesThank you for the help.
AITpro AdminKeymaster@ JWoods006 – Your file permissions and Ownership look good. Maybe there is some mod_access_compat htaccess code in the root htaccess file that your server is not processing. Try deleting your root htaccess file and then run another MScan scan. If that does not work then you will need to check your server logs for clues to what is causing the problem.
AITpro AdminKeymaster@ JWoods006 – Actually try this first – uncheck all Website Folders & Files To Scan except for the WP Core folders: wp-admin, wp-content and wp-includes. What is probably happening is you are trying to scan a protected server folder.
-
AuthorPosts
- You must be logged in to reply to this topic.