False Positives in CleanTalk Malware Scan

Hello @pandamedia

Could you please send the indicated files for analysis? Here are the instructions: https://cleantalk.org/help/files-analysis. Please let us know when you have done this, we need to look at these files to understand if this was a false positive.

Hi,

I have 130 files, also, the option you pointed is not available, only :
“View | Approve | Quarantine | Delete | View Suspicious Code | Cure”

This is why I was forced to approve.

Examples of suspicious code (same for all other files).
Please check 3 examples.

Those are genuine files, so I’m pretty sure those are false positives.
Also it always show “<?php” as suspicious …
Also, can you please answer my questions?

• This reply was modified 2 weeks, 1 day ago by pandamedia.

Thank you.

Could you please reach out to our support team so we can gather some more information from you concerning this issue? Please, open a ticket in our private support system and paste the link to this topic, so we can identify you quickly: https://cleantalk.org/my/support/open.

We’d like to look at a few files, could you please send them to us? We also need to know in what categories our scanner puts these files, Critical or Suspicious or else. Could you please take a more detailed screenshot where we can see this information and send it to us?

OK, will do that.

But for the second time, please my initial questions :

• If these approved files were to get infected in the future, would they still be detected?
• Or does marking them as “approved” permanently whitelist them, preventing future alerts?

Thanks

Thank you @pandamedia.

We have received your ticket and answered you there. But I will duplicate the part of my answer here.

The issue with false positives will be resolved after Synchronization with the cloud (gray button on the top of the Security plugin settings page). This will update the scanner’s local database on the website and remove this problematic signature from the website.

• If these approved files were to get infected in the future, would they still be detected? – After sync there will be no false positives on these files. And yes, the scanner will detect future possible infection of these files.
• Or does marking them as “approved” permanently whitelist them, preventing future alerts? – No, this will permanently approve the current state of the file. If the file is changed, the scanner will scan it the same way as other files. And if the file is infected, the scanner will react to it.

Hi again,

Thanks for your feedback.

I just tried “Synchronization with the cloud” and it does not affect my list at all (whether it’s in Critical or Approve).

I had to “Approve” them all in the meantime.
Should they disappear as well from “Approve” when the signature will be updated? (if it works of course)

Thank you @pandamedia

Please, perform a new scan. I’m not sure if these files will be removed from Approved but definitely shouldn’t be shown in the Critical tab.

Hi,

I just performed a new scan and nothing happened, files are still in Critical tab.

What is weird is that the scan duration was really short (less than 1mn compared to several minutes usually).

Regarding the result text, it says :
“The last scan of this website was on Mar 18 2025 08:00:50, website total files*: 8799, files scanned*: 0. The next automatic scan is scheduled on Mar 19 2025 00:00:50 UTC +01:00.”

Do you what could prevent files from being scanned?

Thank you for your reply.

Please, re-activate the CleanTalk Security Plugin in a special way:
? First, copy your Access key from the plugin settings: WordPress Admin Page → Settings → Security by CleanTalk → General Settings
? Then go to WordPress Admin Page → Settings → Security by CleanTalk → General Settings → enable the option “Complete Deactivation” → Save Changes.
? WordPress Admin Page → Plugins → Installed plugins → Security by CleanTalk → Deactivate and Activate again
? Paste your Access key back and save the plugin settings.

Then clear your website cache. Did it help you this way?

I did what you said.
It worked when I launched analysis after deactivation/reactivation

But after first analysis, when I launch it again, same problem.
It skips files again when in heuristic analysis phase, showing same message as I pointed (total files vs scanned files).

Is that a normal behavior when scans are close to each other?

It could be normal if the scanner did not find any new or/and modified files. That means that the websites files stayed the same and nothing has to be checked.

If you want to scan the files anew, click the grey link “Clear scanner logs” below the scan results and then the button “Synchronize with cloud“.

The next scan should run normally with each step.

Hello.
We haven’t heard back from you in a few days, so I’m going to mark this topic as “resolved”.
If you have any further questions, you can start a new topic or contact us via our private Ticket System:?https://cleantalk.org/my/support/open.