New to the community? Start here

[Defender Pro] Do a better job of false-positives in Defender Pro

0

I noticed today that Defender Pro flagged a core Gravity Forms file as potentially-malicious. Gravity Forms is a widely-used and well-regarded plugin – It seems like Defender Pro should do a better job with false-positives on widely-used plugins, even if they are Premium/paid (e.g. Gravity Forms, Advanced Custom Fields Pro, etc.).

The line of code in question was $state = json_decode( base64_decode( $_POST[ "state_{$form_id}" ] ), true );.

I understand why base64 functions are flagged, generally, however, I’m arguing here that for widely-used plugins such as Gravity Forms, Defender Pro should understand that a base64 in Gravity Forms core should _not_ be flagged given the popularity of the plugin.

Thu, 10 Jun 2021 16:07:40
More Defender Pro discussions
Defender Pro
  • Toby (@themightymo)
    • WordPress Developer

    Julian , The message in Defender Pro says, “We’ve uncovered suspicious code in [path]/wp-content/plugins/gravityforms/form_display.php. ” That message tells us that Gravity Forms, itself, is insecure, which, I’m guessing is not true.

    The above doesn’t address your security question (I don’t know the answer to that), but if you are correct and the Gravity Forms plugin, itself, is a security threat, then a more-helpful message would say something like, “This code ships with Gravity Forms, but ‘base64’ code is known to be a security risk – We recommend choosing a different form plugin.”

      • Joe
        • King Joe

        No, because then you’d have to do that on every single site forevermore. It would work for people with a few sites, but doesn’t work out for people with dozens or more.

        Wordfence managed not to ever alert me with any false positives – every time I had an alert, it was 100% accurate and I had to act on it.

        Defender… I mean, sheesh, two or three times on a new WordPress install it gave me 150+ false flags pointing to WordPress core files saying there is a difference in the code compared to the original – was there a difference you ask? Nope.

        On every single site I run, It points to “Croccoblock” as having bad code. It doesn’t. Its gotten to the stage now that i literally ignore all defender flags and emails. Very bad practice – but there is no chance i am migrating BACK to wordfence after migrating this way only a year ago.

        • Patrick Freitas
          • FLS

          Hi Joe

          I hope you are doing well.

          The Wordfence has a setting for scanning, usually, users don’t modify it and run the scan in the lower level, in their last test level there is also a warning it can increase the false positives, in Defender we keep the same level allowing users to disable the option that causes those false positives, but maybe creating different levels could be a good approach for the plugin.

          About reporting the files, we use the WordPress checksums API, files being reporting can be caused by a cached result, flushing object cache can help.

          API Example:
          https://api.wordpress.org/core/checksums/1.0/?version=5.8&locale=en_US

          However, in case a similar issue still after flushing the object caches and reported files persists we would need to take a closer look.

          Best Regards
          Patrick Freitas

  • Patrick Freitas
    • FLS

    Hi Toby (themightymo)

    I hope you are doing well.

    Thank you for the feedback, our Defender team is indeed working to decrease the number of false positives in the plugin.

    For free plugins, we can verify the version available in WordPress.org so it only shows the report if the plugin is indeed infected, but the issue on Pro plugins that we can’t verify it so at this moment it would show so user can take an action to ignore as false positive or remove the file if confirmed malware.

    I do agree some different warnings could improve the user experience too, we sent this ticket to the plugin team.

    Best Regards
    Patrick Freitas

  • Nastia
    • Ex Staff

    Hello Toby (themightymo)

    Thank you for your feedback!

    The Suspicious Code scan type is looking for potentially dangerous PHP functions, such functions can be in any plugin, whether it is premium or free. If these functions are not protected on a higher code level, they could endanger a site. In the case of Gravity Forms, the $_POST function is the one that is considered dangerous.

    I’m afraid at the moment of potentially dangerous PHP function found within a premium plugin, it’s inevitably will be showing up in the scan report. We found a way to avoid such reports for free plugins because there is a public database available where we can compare the files to confirm that all is well. Paid plugins, I’m afraid doesn’t publicly share their code.

    Nevertheless, our developers will review this case of suspicious code.

    Maybe simply let us tell Defender to ignore what it found and only notify us again when the file next changes or the code in question changes.

    This is already happening in the Malware Scanning :) , once a report is ignored, it is moved to the Ignored section and not showing up back in the main Malware Report section.

    Thank you for repotted this to us!

    Kind reagrds,
    Nastia