MScan Malware Scanner Guide

[JWoods006]

Ok. I tried removing the htaccess and then running a core scan. same result. Then I tried putting it back and just running wp-admin alone… same result.

When you said ROOT htaccess you mean the one in the website folder? On my server I have multiple websites, did you mean the htacess that is one up from the website folder?

Thank you for any help with this

[AITpro Admin]

@ JWoods006 – Check your server logs for the 403 error that is occurring or any other errors by date/time of the error and post them in your forum reply.  So I can see exactly what is being blocked.  The 403 error may also be logged in the BPS Security log assuming that the server error message that is being displayed to you is accurate and not just a generic server error message.  The problem could just be that the way your server is configured, it is unable to process the MScan scan and the server error message that is displayed is triggering the server error message that is displayed to you.

[JoanDellinger]

Yeah, you were right, the flags should have been removed from what I don’t need

[mathu yaar]

There are many free antivirus software you can use (Avast, Kaspersky, BitDefender). For malware I use Spybot – Search & Destroy portable and SUPERAntiSpyware (both free versions).

 

[patrick]

hello!

im new to building hps and wordpress and i installed the plug in. i made a scan and it showed me
multiple sus files aswell as db entries. do i need to be worried? did i got hacked? i also had 2 visits from china through baidu.

what do you think? should i delete all this files?

[AITpro Admin]

@ patrick – most of the files were tmp files.  You can ignore all of them.  The other files are ok too so ignore them as well.

[beatty2020]

Hi,

A recent MScan shows what looks to be a couple hundred “File Hash” confirmed affected files.

Deleting them individually removes them, but if I try to bulk delete all the File Hashes, it seems to go through something but then shows that the same problem files still remain. Only when I select them individually does it seem to successfully remove the problem files.

Most of these files are confined in the plugins:

• gravity forms
• redirection
• wp-rocket
• genesis page builder
• bulletproof security
• wordpress seo
• google site kit
• wp migrate db

So, most of the plugins but not all of them.

Sometimes, I’ll be selecting a huge bulk of the files manually to delete, and when I delete them it will cause the site to crash. When I rename the plugins folder I will get the site back online.

Is there a better way to remove these files other than using the MScan Malware Scanner dashboard?

I just updated a few of these plugins prior to seeing this huge MScan report. Would it help/work to delete the plugins, drop the tables in the database, and then reinstall fresh copies of these plugins?

It’s taking a very long time to remove these files the way I’m doing it now.

Please advise, thanks.

 

[AITpro Admin]

You pretty much never want to delete any files that MScan detects as suspicious.  Most likely the scan did not complete successfully or if the number of files is small # that have different file hashes then those plugin files were modified by the plugin after the plugin was installed, which is very common these days.  MScan is a tool that should only be used in performing a general check.  You should expect that if MScan flags a files as suspicious then most likely it is a false positive.  Malware scanners are unfortunately not really reliable.  That is why I created AutoRestore|Quarantine, which is 100% accurate and reliable.

To fix everything reinstall all the plugins that you deleted any files.
To reset MScan click the Reset MScan button and click the Delete File Hashes Tool button.
Run new scans.  The first scan will create new file hashes.  The second scan will scan files.

[beatty2020]

Now I’m confused. I have been deleting all files marked “File Hash: altered or unknown plugin file.”

At the top of the MScan is this: File hash comparison scan results are 100% accurate.

So I wasn’t supposed to delete those files?

One set of files referred to the plugin Redirection which has not been on the website for over a year. Reinstall it?

 

[AITpro Admin]

I need to change that statement to “File hash comparison scan results are 100% accurate if the File Hash Maker created the file hashes successfully and if a plugin or theme did not modify a plugin or theme file after the plugin or theme was installed. If you are seeing a large number of plugin or theme file hashes that do not match then most likely something went wrong during the File Hash Maker process. You should click the Reset MScan button and click the Delete File Hashes Tool button and run another scan”.

Scan results are static, which means that old scan results that are no longer relevant will still be stored in the scan results until you clear/delete them.  To clear/delete old scan results click the Reset MScan button.  To clear/delete old Plugin or Theme File Hashes click the Delete File Hashes Tool button.

[beatty2020]

OK I deleted and reinstalled the plugins in question. And then Reset the MScan. Ran an MScan. And then Reset it again, out of caution / time wasting. Ran the MScan again and saw only 20 suspicious files. All of them were either fine or easy to delete (old plugin files).

So I think I’m all set.

Thanks much!

[jenni101]

Hi,

I’ve just been setting up BPS pro again now I’ve switched provider to Hostinger. When doing this I also setup MScan (which I’m not very familiar with) – however OK until now…

I was notified of files that were suspicious (and ones on my DB – but I didn’t get as far as that!), looked in the MScan and saw that it was showing the leftover files from Siteground Optimiser plugin which I’d already deleted (and which I’d previously checked with Siteground were OK to delete now). So, as they no longer existed I clicked ‘delete’ for all of them, which it did BUT when I reloaded the backend page AND my frontend website it showed a random 404 page – not even one from my site! So everything totally gone!!!

I’m now in the midst of restoring a backup from my server and keeping finger crossed it will be OK. If not, not sure what to do!

If it is, then can you tell me if I did something wrong?? As I just selected ‘delete’ for files that were already deleted.

I’m not sure if I can manage MScan, maybe I can just turn it off?

Look forward to your thoughts…

[AITpro Admin]

I wish I had never added the option to delete files in MScan.  Malware scanners are simply a basic tool for scanning for possible hacker code and files.  They are not very accurate due to using pattern matching to find possible malicious code/files.  That is why I used the wording “suspicious” vs “malicious” in MScan.   The correct way to use MScan is to physically check the files that MScan sees as suspicious.  Once you have confirmed they are or are not malicious you would then take action.

AutoRestore|Quarantine, which came many years before I added MScan is far superior to MScan and any/all Malware scanners because it uses a completely different and 100% accurate method of checking files for tampering and checking when a new file has been uploaded to a hosting account.

In summary, MScan can be used as a general basic tool to check a website for possible hacker files and code, but it is a malware scanner so you should expect false positives since that is what occurs with all malware scanners.

[jenni101]

OK good to know. Site is fully restored now, and I can now re-check the files that MScan said were suspicious and see why my site dissappearred – as it also had my .htaccess files at the very bottom of a very long list!!  So I’ve now turned it off.

BTW I couldn’t get the MScan page to load or do anything in Chrome (nor in Firefox as you’ve already said) but it did work in MS Edge – which was the only way I could get it to turn off.

[alexreynolds]

What are the key features of the spam link BPS Security Log? If you have confirmed that BPS is blocking something in another plugin or theme, you should post the specific Security Log entry that shows what is being blocked.

[Author]

Posts