Scan consistently failing in Scanning for malware/unknown files

  • Resolved richalt2

    (@richalt2)


    7 years, 2 months ago

    The current scan looks like it has failed

    Last two scans performed with debug mode set,
    Maximum execution time for each scan stage: set to 25
    Php max_execution_time: set to 30
    maximum memory that Wordfence uses: set to 350 (mbytes)
    (Test your WordPress hosts available memory showed 350Mbyte achieved, then a 30sec timeout occurred).
    Each scan attempt hangs at a different point in the “known malware/unknown files” scan.

    We are using bluehost.com
    The error logs shown by bluehost cPanel show only one 30sec timeout in the last 24 hours, which corresponds to the above memory test.

    Scan Summary
    ————
    [Sep 05 13:27:14]
    Preparing a new scan.
    Done.
    [Sep 05 13:27:14]
    Check if your site is being Spamvertized is for paid members only
    Paid Members Only
    [Sep 05 13:27:16]
    Checking if your IP is generating spam is for paid members only
    Paid Members Only
    [Sep 05 13:27:18]
    Checking if your site is on a domain blacklist is for paid members only
    Paid Members Only
    [Sep 05 13:27:20]
    Checking for the most secure way to get IPs
    Secure.
    [Sep 05 13:27:20]
    Fetching core, theme and plugin file signatures from Wordfence
    Success.
    [Sep 05 13:27:21]
    Fetching list of known malware files from Wordfence
    Success.
    [Sep 05 13:27:21]
    Comparing core WordPress files against originals in repository
    [Sep 05 13:27:21]
    Comparing open source themes against www.remarpro.com originals
    [Sep 05 13:27:21]
    Comparing plugins against www.remarpro.com originals
    [Sep 05 13:27:21]
    Scanning for known malware files
    [Sep 05 13:27:21]
    Scanning for unknown files in wp-admin and wp-includes
    [Sep 05 13:38:57]
    A request was received to kill the previous scan.

    Activity Log
    ————
    Wordfence Full Activity Log
    [Sep 05 13:38:57:1504643937.445088:10:info] SUM_KILLED:A request was received to kill the previous scan.
    [Sep 05 13:38:57:1504643937.444328:1:info] Scan kill request received.
    [Sep 05 13:32:25:1504643545.124057:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/updraft-admin.min.js (Size:66258B Mem:87.2M)
    [Sep 05 13:32:25:1504643545.116114:2:info] Scanned contents of 1466 additional files at 5.75 per second
    [Sep 05 13:32:24:1504643544.205952:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/updraft-admin.js (Size:109719B Mem:86.0M)
    [Sep 05 13:32:23:1504643543.740337:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/select2/select2.min.js (Size:66664B Mem:87.2M)
    [Sep 05 13:32:23:1504643543.581278:2:info] Scanned contents of 1464 additional files at 5.78 per second
    [Sep 05 13:32:22:1504643542.770986:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/select2/select2.js (Size:147185B Mem:86.0M)
    [Sep 05 13:32:22:1504643542.726655:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/onedrive/onedrive.php (Size:156B Mem:87.2M)
    [Sep 05 13:32:22:1504643542.648205:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/onedrive/object.php (Size:6586B Mem:86.0M)
    [Sep 05 13:32:22:1504643542.547714:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/onedrive/folder.php (Size:2311B Mem:87.2M)
    [Sep 05 13:32:22:1504643542.470184:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/onedrive/file.php (Size:2128B Mem:86.0M)
    [Sep 05 13:32:22:1504643542.467096:2:info] Scanned contents of 1459 additional files at 5.79 per second

    Prior debug scan ended with this Activity Log snippet:
    View Activity log, after Debug mode set. Killed this scan after 5 minute timeout.
    —————————————————–
    [Sep 05 13:25:07:1504643107.335235:10:info] SUM_KILLED:A request was received to kill the previous scan.
    [Sep 05 13:25:07:1504643107.311517:1:info] Scan kill request received.
    [Sep 05 13:18:44:1504642724.991246:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/Internal/Atom/Content.php (Size:5027B Mem:86.0M)
    [Sep 05 13:18:44:1504642724.989313:2:info] Scanned contents of 1378 additional files at 5.69 per second
    [Sep 05 13:18:44:1504642724.944778:4:info] Resuming malware scan at rule G2783/rules#5.
    [Sep 05 13:18:44:1504642724.940359:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/Internal/Atom/Category.php (Size:6048B Mem:86.0M)
    [Sep 05 13:18:44:1504642724.917462:4:info] Got a true deserialized value back from ‘wfsd_engine’ with type: object
    [Sep 05 13:18:44:1504642724.846398:4:info] Setting up scanRunning and starting scan
    [Sep 05 13:18:44:1504642724.846159:4:info] Setting up error handling environment
    [Sep 05 13:18:44:1504642724.845912:4:info] Requesting max memory
    [Sep 05 13:18:44:1504642724.845611:4:info] Done become admin
    [Sep 05 13:18:44:1504642724.845215:4:info] Scan authentication complete.
    [Sep 05 13:18:44:1504642724.843787:4:info] Scan will run as admin user ‘Shana’ with ID ‘2’ sourced from: singlesite get_users() function
    [Sep 05 13:18:44:1504642724.842830:4:info] Becoming admin for scan
    [Sep 05 13:18:44:1504642724.841298:4:info] Checking saved cronkey against cronkey param
    [Sep 05 13:18:44:1504642724.841071:4:info] Exploding stored cronkey
    [Sep 05 13:18:44:1504642724.840850:4:info] Fetching stored cronkey for comparison.
    [Sep 05 13:18:44:1504642724.840572:4:info] Checking cronkey
    [Sep 05 13:18:44:1504642724.840222:4:info] Scan engine received request.
    [Sep 05 13:18:44:1504642724.602705:4:info] Scan process ended after forking.
    [Sep 05 13:18:43:1504642723.597249:4:info] Starting cron with normal ajax at URL https://village-volunteers.org/mobile2/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&scanMode=full&cronKey=58293f3e2e053fa61f8be00b
    [Sep 05 13:18:43:1504642723.595457:4:info] Test result of scan start URL fetch: array ( ‘headers’ => Requests_Utility_CaseInsensitiveDictionary::__set_state(array( ‘data’ => array ( ‘date’ => ‘Tue, 05 Sep 2017 20:18:42 GMT’, ‘server’ => ‘Apache’, ‘x-robots-tag’ => ‘noindex’, ‘x-content-type-options’ => ‘nosniff’, ‘expires’ => ‘Wed, 11 Jan 1984 05:00:00 GMT’, ‘cache-control’ => ‘no-cache, must-revalidate, max-age=0’, ‘x-frame-options’ => ‘SAMEORIGIN’, ‘set-cookie’ => ‘wfvt_4904713=59af06a34f89f; expires=Tue, 05-Sep-2017 20:48:43 GMT; Max-Age=1800; path=/; secure; httponly’, ‘vary’ => ‘Accept-Encoding’, ‘content-encoding’ => ‘gzip’, ‘content-length’ => ’32’, ‘content-type’ => ‘text/html; charset=UTF-8’, ), )), ‘body’ => ‘WFSCANTESTOK’, ‘response’ => array ( ‘code’ => 200, ‘message’ => ‘OK’, ), ‘cookies’ => array ( 0 => WP_Http_Cookie::__set_state(array( ‘name’ => ‘wfvt_4904713’, ‘value’ => ’59a
    [Sep 05 13:18:42:1504642722.206211:4:info] getMaxExecutionTime() returning config value: 24
    [Sep 05 13:18:42:1504642722.205955:4:info] Got value from wf config maxExecutionTime: 24
    [Sep 05 13:18:42:1504642722.205487:4:info] Calling startScan(true)
    [Sep 05 13:18:42:1504642722.016585:4:info] Entered fork()
    [Sep 05 13:18:42:1504642722.015432:4:info] Forking during malware scan (G2783/rules#5) to ensure continuity.
    [Sep 05 13:18:41:1504642721.971743:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/Internal/Atom/Category.php (Size:6048B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.863577:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/Internal/Atom/AtomLink.php (Size:7743B Mem:86.0M)
    [Sep 05 13:18:41:1504642721.740038:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/Internal/Atom/AtomBase.php (Size:9505B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.531166:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Common/CloudConfigurationManager.php (Size:4950B Mem:86.0M)
    [Sep 05 13:18:41:1504642721.469046:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SignedIdentifier.php (Size:2511B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.392061:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SetContainerMetadataOptions.php (Size:2221B Mem:86.0M)
    [Sep 05 13:18:41:1504642721.321671:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SetBlobPropertiesResult.php (Size:3720B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.219842:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SetBlobPropertiesOptions.php (Size:6748B Mem:86.0M)
    [Sep 05 13:18:41:1504642721.151687:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SetBlobMetadataResult.php (Size:2947B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.087280:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/SetBlobMetadataOptions.php (Size:2379B Mem:86.0M)
    [Sep 05 13:18:41:1504642721.011810:4:info] Scanning contents: wp-content/plugins/updraftplus/includes/WindowsAzure/Blob/Models/PublicAccessType.php (Size:1938B Mem:87.2M)
    [Sep 05 13:18:41:1504642721.008902:2:info] Scanned contents of 1367 additional files at 5.74 per second

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi @richalt2,

    This could be related to the server resources.

    Could you try disabling the scan option “Scan images, binary, and other files as if they were executable” which is located on the Wordfence Options page?

    This scan option is mainly intended for using on known infected sites. It requires a lot of resources and is not necessary to use for normal scans. The reason for this is that non-executables such as images can not execute themselves. If there is malware in an image, there will be malware in other files on your server as well and those will be detected even with this scan option off.

    Also could you please:

    • Go to the Wordfence Tools page
    • Click the Diagnostics tab
    • In the Other Tests section (near the bottom of the page), click the link that reads “Click to view your system’s configuration in a new window“. This will open a Wordfence System Info page

    And check the values associated with the following parameters:

    • Server API
    • PHP Version

    Hello!

    I hope we were successful in helping you resolve your issue with Wordfence! Since we have not heard back from you in the past 2 weeks I will now be marking this support thread as resolved. However, if we still haven’t resolved your issue please reach out to us as we would be more than happy to further assist you!

    Thanks and have a great day!
    Chloe

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Scan consistently failing in Scanning for malware/unknown files’ is closed to new replies.