Here I am uploading the warning notification, with my site name blurred out. Is this something to worry about, or could it be a false reading?
It’s happening on a few, but not all of my WordPress websites. That could mean there is a shared vulnerability across the sites, or could be something in common that’s triggering the false warnings.
I have NinjaFirewall installed on all my sites, and I just ran their malware scanner. It did come back with 2 to 3 of the core files that had an ‘x’ and I chose the option to restore them.
I also got an email that changes were made to the administrator accounts of the sites, but I can still login and not seeing anything off yet.
I checked in my site files, and the ‘nonce’ values that are being appended to the ajax.php file in the Avast warning, don’t actually exist as files that I can see. Avast is giving three warnings all for the same ajax.php file but with different nonces. I have no idea what this means.
You can use the ‘possible’ False Detection using the Option in the Alert Window.
You won’t get a direct response but it should be analysed within 48 hours, if found to be false it will be removed.
Thanks, I had actually clicked the possible false detection on one of them a week or so ago when I first encountered this, and still getting the warnings, but they are still appearing.
Not sure why I didn’t think to run Ninja Scanner earlier, but after restoring the files it flagged, 1 of the 3 sites is no longer giving the error, it seems for now at least. But the other 2 are. Is there a lag with Avast reporting after a malicious file is fixed?
if found to considered a false positive, the virus database should be updated. So those inclusions/exclusions should be with users on the next VPS (Virus/malware Signatures) is released and this is several times a day.
So, after contact my web host, one of their recommendations was to try MalCare (a wordpress security plugin).
Earlier this morning I had logged in to both of the 2 sites that were still giving the error yesterday after I had cleaned them with NinjaScanner, and they were still giving the error.
Just now, logging in to one to install MalCare, I notice it’s not giving giving the error. Then scanned it with MalCare and it did not detect anything malicious. So, there either is a lag, or Avast quietly updated their ruleset after seeing this post?
But then, the plot thickens. Now I logged into the other site that was still showing the warning this morning, and now that one is throwing up THIS popup repeatedly:
So I restarted my computer, and now it’s showing the same warning again on that site. I also just added MalCare there and ran a scan, and it also came back clean. MalCare claims to find more malware than any other WP plugin. So what are the odds that my site is infected but they’re not finding it?
FWIW, my host support also made the following comment: " ```
Avast flagged a request to admin-ajax.php with parameters that could be used for exploitation, such as action=wp-compression-test, along with a suspicious nonce. Also, the fact that it’s categorized as “Other:Malware-gen [Trj]” suggests that the behavior of the request resembles that of a trojan (malware), even if the actual PHP file has not been altered."
The -Gen at the end of the name is for Generic detection (as far as I’m aware), so not a specific malware detection. So I would agree with your assumption
Unfortunately, an Avast user there is little else I can do in that regard.
You could try this link as it gives an area to give more details than you get reporting via the Alert Window.
New location to report both a False Positive and or a False Negative (for File or URL)
Thank you. I have submitted a report there. It was good because they allow you to submit the Alert ID so they should be able to examine the exact alert I am getting.
