Support

Site Restoration

#29270 ConfigServer Exploit Scanner

Posted in ‘Site restoration’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
n/a
CMS Type
Other
CMS Version
n/a
Backup Tool Version
n/a
Kickstart version
n/a

Latest post by on Wednesday, 28 March 2018 17:17 CDT

ARTIFIEDWEB
Dear Sirs,
this is not really a ticket.
I would just like to inform you about a "problem" with your products.
The ConfigServer eXploit Scanner (or CXS) seems to identify many of your files as potential threats for using Regular expression match = [symlink\s*\(]

This tool is a widely known malware scanner for servers. Maybe you should alter you code or get in touch with them to mark it as safe. For now I have solved my problems by adding the MD5 Hash of your files to the ignore list.

Keep up the good work.
Best Regards,
George Angelopoulos

nicholas
Akeeba Staff
Manager
This is a problem with false positives on the third party product you are using. Since you are their client you need to contact them and explain the problem their software is causing you. According to our experience every time we contact the vendor of such software we either get no reply or we get a form reply that its users can add any file they want to a whitelist - which you already do.

The only thing we can do on our side is make sure that the code we produce is safe, i.e. it does not cause any security issues on your site. This is what I've been doing since the very first beta version of JoomlaPack I released in 2006.

If you want more information on why signature scanning source code won't yield accurate results you should read the documentation of Admin Tools' PHP File Change Scanner feature. The Threat Score calculation is doing exactly what CXS and hundreds of other similar solutions do: it matches your PHP files against code patterns which are typically, but not exclusively, used by malicious script and flags the files where these patterns appear. Our solution is much smarter in that it does a weighed score (e.g. it knows that base64_decode by itself is probably safe but a regex with the 'e' flag is most definitely not) and draws your attention to the important files. It also keeps track of which files have changed not just by timestamp but also by multiple checksums and won't bother you about the same files over and over again if you mark them as safe. Basically, I don't see why you need to use CXS when are already paying for and have installed a better solution on your site. Would you rather we renamed PHP FIle Change Scanner to "Malware Scanner"? Because that's a discussion we're currently having internally, seeing that our clients do miss the point of that feature :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!