Skip Navigation

[Resolved] Virus scanner blocks basic js

This thread is resolved. Here is a description of the problem and solution.

Problem:

The issue here is that the user website was returning a positive result for a virus.

Solution:

Unfortunately it was a false positive. I can assure you that our Toolset plugins have no viruses.

This support ticket is created 6 years, 4 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 9:00 – 12:00 -
- 13:00 – 18:00 13:00 – 18:00 13:00 – 18:00 14:00 – 18:00 13:00 – 18:00 -

Supporter timezone: America/Jamaica (GMT-05:00)

Tagged: 

This topic contains 14 replies, has 2 voices.

Last updated by Shane 6 years, 4 months ago.

Assisted by: Shane.

Author
Posts
#1079791

My virus scanner (F-Secure) blocks basic.js with the following error: Trojan-downloader:Js/Locky.048d331c81!Online, Locatie: hidden link

It's probably a false positive but it's really annoying since it pops up every time I try to edit or add a custom post (type). I'm also getting errors when I duplicated or deleted a post type.

I couldn't upload the types plugin either, I got a "this link is expired" error. I eventually uploaded it via FTP. I only had that problem with types, I could upload the access, views, forms and module manager without any problem.

Already tried to disable all plugins but that didn't work either.

#1079812

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

I suspect that this is a false alarm as well.

However is the virus scanner a free plugin ? or is there somewhere that I can do the scan ?

Please let me know.

Thanks,
Shane

#1079814

Hi Shane,

It's not a plugin on the website that causes the alert, it's the virus scanner on my computer. F-Secure is the name of that virusscanner (so like Norton and McAffee, it's a pretty well known brand).

Is the browser supposed to download the file I mentioned when working on a custom post (type)?

I don't have this problem on my test site, just on this one client site.

#1079817

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

Unfortunately no, there are no files being downloaded when i edit a CPT.

Thanks,
Shane

#1079818

Okay, I know it's a problem with this specific website. It wasn't updated for a long time (was still running on WP 4.4) so I updated everything before I started. When this problem occured, I uploaded WordPress core files (except for /wp-content) manually but it didn't solve the problem.

Can you or one of your colleagues tell me what's causing the problem (maybe from the error log)?

#1081326

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

What I can do is to escalate this one to our 2nd tier supporters. Maybe they have some knowledge on it.

But first you mentioned when visiting the site a file is downloaded. Could you send me the link of the exact page where this occurs ?

Thanks,
Shane

#1081351

Hi Shane,

Ok, please escalate then. The file downloads on every page where I edit a custom post type:

hidden link
hidden link
hidden link

And, if I'm not mistaking, also when I add a new item in the CPT, or edit an existing one.

#1081379

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

These urls don't download any file for me.

Are you using a windows pc ? also what browser are you using.

Thanks,
Shane

#1081380

I'm using a Windows 10 PC with Chrome (but I have the same problem in IE as well).

#1081429

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

I tested this on a Windows 10 Machine and was not able to see any issues, no files were downloaded for me. It could be your browser configuration.

Could you try this on another pc if possible and let me know if the problem is still there as well ? Its a bit difficult to debug or confirm issues that we are not able to replicate or see.

Thanks,
Shane

#1081451

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

Is the file being downloaded locally to your pc? meaning does it download as if you were to download a file from the internet?

Please let me know.
Thanks,
Shane

#1081576

Yes, the browser downloads the file to my PC. Well it's trying to, the download gets blocked by my virus scanner (which is F-Secure). The link to the file it's trying to download is in the first post.

#1081642

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

Were you able to try this on another pc? I've had a colleague look at the site and they too were not able to experience any issues.

Please let me know.

Thanks,
Shane

#1091195

I got an e-mail from the hosting company that they got a virus alert, so I let WordFence scan once more. Now it gave this error:

This file may contain malicious executable code: wp-content/plugins/wp-views/embedded/inc/wpv-condition.php
Type: File
Issue Found 24.08.2018 13:33
Critical
IGNORE
DETAILS
Filename: wp-content/plugins/wp-views/embedded/inc/wpv-condition.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file is a PHP executable file and contains the word "eval" (without quotes) and the word "base64_decode(" (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.

#1091279

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Marcel,

Actually checking on this, its a false positive. It is know that eval() and base64_decode has been used to inject malicious code into php file.

However when i looked at what it was used for in our code, its not anything malicious. If it was it would look something similar to below.
https://stackoverflow.com/questions/12587159/malicious-code-evalbase64-decode

Thanks,
Shane