False Positives
-
Hi, I am getting false positives for many wp files on all my wordpress websites when I run mscan.
So, I carried out a clean install of wp5.9 on a new domain just now. I ran the scan twice and looked at the report.
Scan Date|Time: January 28, 2022 11:21 am Website: https://metascotland.co.uk/wp Scan Completion Time: 00:00:06 Total Files Scanned: 3013 Total Skipped Files: 0 Total Suspicious Files: 317 Total Suspicious DB Entries: 0Here are the first three entries:
Suspicious File /home/metascot/public_html/wp/wp-admin/error_log File Hash: Altered or unknown WP Core file 2022-01-28 11:20:09
Suspicious File /home/metascot/public_html/wp/wp-content/themes/twentytwenty/.stylelintrc.json File Hash: Altered or unknown Theme file 2022-01-28 11:21:29
Suspicious File /home/metascot/public_html/wp/wp-content/themes/twentytwenty/404.phpWhy is it picking up 317 of wordpress core files as positive?
The page I need help with: [log in to see the link]
-
The wp-admin/errorlog file is a php error log file created automatically by your server. So it is seen as an unknown WP Core file. For all the other files that are falsely being seen as unknown files my guess would be a Windows (CR LF) vs Linux (LF) issue. You can check to see if that is the issue by opening some of the WP Core or Theme files with Notepad++ – check the bottom right of the Notepad++ window to see the file format. You can download Notepad++ for free. I may add an additional tool in MScan that will automatically fix this issue. It’s relatively simple to do. Please let me know if this is the issue/problem that is occurring.
Windows line break, \r\n (or CR LF) vs Linux \n (or LF), which is 1 byte less per line ending. 2 identical files with different line endings will be different sizes and therefore have different file hashes.
https://forum.ait-pro.com/forums/topic/mscan-troubleshooting-questions-problems-and-code-posting/
Known Issue|Problem: File Hashes do not match due to differences in file format: Windows (CR LF) vs Linux (LF)
This issue/problem typically only happens on Local Dev servers like XAMPP. Problem scenario: All WP Core, Plugin and Theme files should be using Linux (LF) format. On XAMPP during the file hash creation stage in MScan some files have the Windows (CR LF) format, which means the file size is slightly different and the file hash that is created will not match the file hash for the actual Live file. The result is MScan will detect that the file has been altered or tampered with and display “File Hash: Altered or unknown Theme file” for that file. Example Scenario: When you update Themes older files will not be replaced for that Theme and only files that have been changed are replaced. The original Theme file has the Linux (LF) format, but the new Theme file in the Theme zip file has the Windows (CR LF) format. The file hash that is created is for that Theme file will not match the file hash for the existing Theme file. The end result is a false positive since the file is seen as altered or not matching the file hash for that Theme file.I have confirmed that this is a Windows CR LF vs Linux LF problem and is caused by this > the default WP themes that are bundled in the WP Core zip files (WP 5.9, etc) are Linux LF format. The default WP themes available for download from the WP theme repository are Windows CR LF format. I have created a fix for this issue in BPS 5.8. MScan will automatically convert default WP theme files from CR LF format to Linux LF format as needed. That will ensure that the file hashes match since the md5 theme file size will be identical after converting the files to the correct format = Linux LF.
- The topic ‘False Positives’ is closed to new replies.
