The internal scan examines all source files on the hosting server, including site-specific files, images, themes, and plugins. Starting with version 3.2.1.0, it also scans WordPress core files. Quttera's patented algorithms work with a threat intelligence database. The database is updated twice daily from ThreatSign's database.
Rather than relying on signatures of known malware, the scanner uses a heuristic scan engine to find suspicious behavior. This approach lets it find threats which aren't yet recorded in any database. It applies weighted rules, statistical methods, and flow analysis when examining the code.
The internal scan uses machine learning to update its behavior. It crowdsources the results of its previous analysis to update its rules and their weights. This makes it more accurate over time, catching more problems and reporting fewer false positives.
The threats in which the internal malware scanner looks for include the following:
- Infected PHP, JavaScript, image, and other files. WordPress is based on the PHP language, and infected files can perform actions the owner didn't intend. Infected JavaScript can alter the behavior of pages in the browser or redirect to other pages.
- PHP shell injection. This technique causes system commands to run on the server with the privileges of the website's account.
- Backdoors. These are pieces of code surreptitiously installed that allow an outside user to modify the site's behavior or extract private information.
- Ransomware. It encrypts the files on the target system and demands that the owner pay to get them restored.
- Trojans ("Trojan horses"). Plugins or themes from dubious sources may claim to do something useful but conceal malicious code.
- Mailers. An unauthorized code can send out spam email, unknown to the site owner.
- Spyware. This category covers any code that reports information back to an unauthorized party.
The scanner's reports indicate a severity level of Malicious, Suspicious, Potentially Suspicious, and Clean. It may not be necessary to act on suspicious and potentially suspicious reports, but they should all be examined for any concerns they may raise.
The scan may return some false positives. The administrator can whitelist files which are erroneously reported. In addition, reported threats can be whitelisted if a site legitimately takes actions that the scan classifies incorrectly. False positives can be reported to Quttera's helpdesk so that appropriate adjustments can be made to the rules.