Issue
Imunify360 flags the file restorer.php within the UpdraftPlus WordPress plugin as a malicious file, even when the plugin is fully up to date. The detection reason shown in the Imunify360 management console is:
SMW-INJ-CLOUDAV-php.backdoor.htaccess-PHPTRP2-4
The affected file path is typically:
wp-content/plugins/updraftplus/restorer.php
In some cases:
- The real-time scanner continues flagging the file even after it has been added to the ignore list.
- Imunify360 may "clean" the file by zeroing out its contents rather than deleting it, resulting in a broken plugin.
- A large number of email notifications may be generated if real-time scanning is active across multiple accounts.
Environment
- Imunify360
- Malware Scanner
- WordPress
- UpdraftPlus plugin (versions up to 1.26.5)
Solution
This has been confirmed as a false positive. The file has been added to the Imunify360 whitelist. Run the following command to pull the updated signatures and stop further detections:
imunify360-agent update sigs
If files were cleaned (content zeroed out):
Imunify360 retains original files for 14 days. Restore them with:
imunify360-agent malware user restore-original <username>
To list affected files for a specific account before restoring:
imunify360-agent malware malicious list --user <username>
Note: The Imunify360 Ignore List does not support wildcards. Patterns such as
/home/*/wp-content/...are not valid. If a temporary per-account ignore entry is needed while signatures propagate, add the exact file path per account:imunify360-agent malware ignore add '/var/www/vhosts/<domain>/httpdocs/wp-content/plugins/updraftplus/restorer.php'
Cause
This was a false positive. The Imunify360 malware processing team confirmed that restorer.php in UpdraftPlus 1.26.5 is byte-for-byte identical to the official upstream release and contains no malicious code. The signature has been corrected, and the file has been added to the Imunify360 whitelist.
Comments
0 comments
Please sign in to leave a comment.