Support

Akeeba Backup for Joomla!

#28788 – Siteguarding Antivirus Scanner Report says one file of the component is unsafe

Posted in ‘Akeeba Backup for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Sunday, 26 November 2017 21:43 CST
Siteguarding Antivirus Scanner Report indicates the following:

Heuristic logic has detected some unsafe files.



Infected File: /administrator/components/com_akeeba/Model/S3Import.php

Malware Type: php.var.function.14



What can you tell me about that? How can I solve this issue?
Custom Fields
Joomla! version (in x.y.z format)
3.6.5
PHP version (in x.y.z format)
7.0.25
Akeeba Backup version (x.y.z format)
5.6.0
Monday, 27 November 2017 02:23 CST
Our code is, of course, completely safe. This is most likely a false positive. I can also tell you what's triggering it. Around line 190 we are checking if the object name Amazon S3 returns contains the string '$folder$' (note the single quotes containing this string) since this is an indication that third party software created an empty "folder" in Amazon S3. Since Amazon S3 has no folders, just key-value storage, the concept of a "folder" is faked by creating an empty object inside that object named '$folder$'. The "heuristic logic" (a.k.a. "pattern matching") mistakes that for a similar, but substantially different and dangerous, construct.

Why is this happening? The "Heuristic logic" is a fancy way of saying "we are doing pattern matching on source code". This is the same pattern matching we are doing in Admin Tools' PHP File Change Scanner to calculate the "Threat score". As we have already explained, this is NOT an exact science: it's like using the frequency of certain words in free text to deduce its content. Its only utility is to help a human operator who speaks the language narrow down the number of files they have to manually check. Now, using that to calim that you have positively found a "virus" is daft, misleading and outright dangerous. Yet they do.

What should you do? My sincere advice is to not use this kind of self-proclaimed "antivirus" software. You cannot have an antivirus for PHP which is, by definition, source code. Not with significant advances in AI which let a computer "understand" the intent of the code. Anyone selling you this kind of "antivirus" is either ignorant or a snake-oil salesman. Take this from a person who writes this kind of software and markets it honestly as a threat score analyzer. If you absolutely need an automated way to detect hacks I recommend myJoomla.com. It's a combination of pattern matching with the additional benefit of seeing thousands of sites and figuring out the vast majority of false positives automatically. Full disclosure: I am in no way affiliated with myJoomla.com but I do know its founder, Phil Taylor, personally.

If you have no choice but use this fake antivirus you need to contact the self-proclaimed "antivirus" software company and notify them of the false positive. If they actually understand how their software works they'll tell you to ignore it and / or put an exception for our file in some configuration of their "antivirus".




Nicholas K. Dionysopoulos


Lead Developer and Director






Greek: native


English: excellent


French: basic






Please keep in mind my timezone and cultural differences when reading my replies. Thank you!






Monday, 27 November 2017 12:22 CST
Hi, Nicholas.

First of all, many thanks for your thorough answer.

Secondly, let me explain what we are needing and perhaps you could kindly advice me a better service than siteguarding.com

Our website has many forms where users must upload files. Our goal is to have all those files scanned at least once a day (if not during or immediately after being uploaded) to be sure no one is uploading risky files for the website and its users.

We came across this Joomla Plugin from Siteguarding, and we are just in the trial period. So we have no final decision yet and your answer might weight when the time comes.

I'm not sure if MyJoomla fulfills our needs. Or maybe Sucuri. Or do you know any other option? Better if it offers Joomla backend integration.

Looking forward for your reply.

Regards,

Fernando
Tuesday, 28 November 2017 03:02 CST
You could use the PHP File Change Scanner which is part of Admin Tools. What you described this software is doing is exactly what our PHP File Change Scanner does. However, I don't think you even need to do that.

Your threat surface is very limited: one directory where people upload stuff. This is easy to guard.

First of all, disable direct web access to that folder. You can use the .htaccess Maker in Admin Tools or a simple .htaccess.

Then you need to limit what is being uploaded. Assuming that uploads go through Joomla! you are already protected by Admin Tools and Joomla! itself (we contributed Admin Tools' UploadShield to Joomla! a couple of years ago).

In the off-chance that something executable goes through the .htaccess will prevent it from running. But you can also run a CRON job which looks for .php, .php3, .php5, .phps, .inc, .py and .pl files in the upload folder and delete them. Running this every 2 minutes is enough and doesn't increase server load.

Better yet, your forms should not handle uploads naively (trust the filename sent by the remote client). They should rename the uploads to a random name without an extension, e.g. like we are doing with Akeeba Ticket System. That eliminates the need for scanning in the first place.

The only thing that's not covered by that are Windows and document viruses / malware. I think this is best left to an actual antivirus running on the client computer where these files are eventually downloaded to. Otherwise you're looking at a more complicated setup which may or may not work properly.

As for myJoomla and Sucuri, they offer different kinds of services. myJoomla would check if your site is hacked and help you clean it. That would make sense if your forms are badly written and you are not sure if they have gaping holes which allow people to upload arbitrary files to arbitrary directories. Until you can audit your code myJoomla should be a good option, on top of Admin Tools' PHP File Change Scanner.

Sucuri, on the other hand, deals with inbound malicious traffic. Of course Admin Tools' Web Application Firewall also does the same. I see them as complementary. Sucuri can handle the bulk of the attacks since it's a service sitting in front of your site. It will block stuff before it hits your server, reducing the server load. Admin Tools will catch those cases which require knowing the application state to accurately judge maliciousness.

TL;DR: You can have more than decent protection just with Admin Tools. Third party services are a good thing, if you can spare the expense, but not a mandatory ingredient for your particular use case.




Nicholas K. Dionysopoulos


Lead Developer and Director






Greek: native


English: excellent


French: basic






Please keep in mind my timezone and cultural differences when reading my replies. Thank you!






Thursday, 28 December 2017 17:17 CST
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-12-28 23:17
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: Read the complete support policy which is part of our Terms of Service. We kindly remind our subscribers that they have already explicitly and unconditionally accepted the Terms of Service.

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.