Malware Scanner is a part of the Shield's Hack Guard module. This scanner will discover all sorts of malware patterns embedded in your PHP files, wherever they're hidden on your WordPress site.


It focuses on the following:

  • scanning of all PHP and Javascript files and folders under your WordPress ‘ABSPATH‘ – this is the directory that contains your wp-admin, wp-content and wp-includes folders.
  • automatic repair of WordPress core files
  • automatic repair of WordPress.org plugins

How the Malware Scanner works

Before you start using this automatic scanner, you'll need to enable it first under the Shield => Settings => Hack Guard module => File Scans and Malware => Malware:

When enabled, the scanner will automatically detect files infected with malware signatures. 

Ignore False Positives Threshold option

Shield will ignore false positives in Scan Results automatically:

  • Low
  • Medium
  • High
  • Low

You can choose to ignore files with potential malware manually in your scan results, depending on whether the confidence that it's a 'false positive' meets your minimum threshold.


A false positive happens when a file appears to contain malware and shows up in scan results, but it's actually clean. (A false positive is similar to when an anti-virus alerts to a file that doesnt have a virus.)
The higher the confidence level, the more likely a result is a false positive. A low level means it's less likely to be a false positive.


The scan will automatically ignore results whose 'false positive' confidence level is greater than your chosen threshold.
The higher the confidence threshold you select, the more likely that 'false positives' will appears in your scan results.
Disabling network intelligence turns off 'false positive confidence' levels. You will no longer benefit from the intelligence gathered from the entire network. All data shared is completely anonymous.


The more sites that share this information, the stronger and smarter the network becomes.


Read more about this here.

You can also set the Malware Scanner to

  • Auto-Repair WP Core - Automatically reinstall any core files found to have potential malware. 
  • Auto-Repair WP Plugins - Automatically repair any plugin files found to have potential malware.
    Important: This option is only compatible with plugins installed from WordPress.org.
    Also deletes suspected files if they weren't originally distributed with the plugin.

 Please also note that:

  • Auto-repair core files only repairs actual WP core files - it wont delete any.
  • The plugin auto-repair will both replace plugin files, and also delete files that don't belong.


Once the scanner detects infected file(s), it'll either try to repair them automatically or you can do this manually. How it'll behave depends on your personal settings.

                   

To run manual scan or to review infected files, you can use Scans section of the Shield Security Dashboard. 


For example, Malware Scanner detected potential malware in a WordPress core files. You can go to the Scans section => run Malware scan => go to the Scan results to review it. Then, you can choose if you want to ignore or delete it:

Important: If you're unsure whether the file is malware or not, read this article here.


For more information about the Malware Scanner, please read the blog article here.