False Positive By Imunify On Helix Ultimate Core File (default.php) - Question | JoomShaper

False Positive By Imunify On Helix Ultimate Core File (default.php)

S-D CONSULTING

S-D CONSULTING

Helix Framework 1 week ago

When antimalware programs report false positives, do you report them (for example, Imunify)?

If necessary, I'll report the issue privately, otherwise it's alarming. However, I've already analyzed the file, and aside from containing many dynamic classes that may have bypassed Imunify's CloudAV algorithm, there's nothing wrong with it, and the file hasn't changed since May.

0
15 Answers
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227603

When I ask if you think about it, I'm obviously referring to the Helix development team.

0
M
Marin
Accepted Answer
1 week ago #227609

Do you have any fix for this

0
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227610

I don't think there's a fix; I think it's a false positive from Imunify. I reported the issue to the Imunify developers via SSH, because the reporting is the result of their algorithm, but the file hasn't been modified in any way, and there are no non-compliant functions.

I believe Imunify is flagging it because of the many dynamic classes that likely exceed their standards.

Let's see what the Helix developers have to say.

0
M
Marin
Accepted Answer
1 week ago #227611

Thanks for the quick reply. I noticed that last night. However, as soon as I restore the file, Imunify360 deletes it, and without it, all our articles are blank—or rather, they don't display.

0
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227612

This morning, I also received a report of an infected file from Imunify on all my servers on websites where Helix is used. This isn't the first time I've had a false positive, so before taking action, I checked the file and, strangely, the "differences" panel reported the entire contents of the offending file.

I ran an analysis of the file using advanced AI and found no anomalies. CloudAV likely detects many dynamic classes that exceed their standards and is therefore flagging them.

I'll wait to see what the Helix developers say. I reported the false positive to Imunify and asked them to investigate.

0
M
Marin
Accepted Answer
1 week ago #227617

How long does it take for Imunify360 to process things if there’s a false positive? It’s quite a hassle because none of the articles are displaying. Interestingly, out of 17 websites, the file was flagged as malware on 15 of them, but not on the other two.

0
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227619

You should disable the automatic cleaning feature; it's a significant risk. There's a whitelist for some files after a false positive occurs.

0
C
copycat
Accepted Answer
1 week ago #227620

could you please confirm the exact full server path of the file that Imunify360 is removing?

0
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227621

You can see the exact path on your server where Imunify reports it. The less information you disclose, the better.

0
C
copycat
Accepted Answer
1 week ago #227616

How can this issue be solved when the hosting provider does not allow any whitelist/ignore functionality in Imunify360?
Is there any alternative method to stop Imunify360 from removing the file?

could you please confirm the exact full server path of the file that Imunify360 is removing?

0
S-D CONSULTING
S-D CONSULTING
Accepted Answer
1 week ago #227618

Your provider shouldn't have Imunify automatically cleaning files, as this could compromise a website with a false positive.

Imunify has a feature to prevent this, depending on whether your provider offers the option to receive notifications, but without automatic intervention.

0
Ł
Łukasz
Accepted Answer
1 week ago #227661

public_html/plugins/system/helixultimate/overrides/com_content/article/default.php

0
R
Remco
Accepted Answer
1 week ago #227675

I have the same issue on 10+ sites.

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227709

Hello @all,

Thank you for bringing this to our attention.

We can confirm this is a false positive from Imunify360. The file default.php in Helix Ultimate is part of the original and legitimate source code and does not contain any malicious content.

This detection has been reported by other users as well and is related to the security scanner’s signature pattern rather than any real threat.

As a temporary workaround, please stop scanning or exclude this file from Imunify360 until we have contacted them and clarified the issue, or apply an exclusion rule for this specific file to prevent it from being removed or zeroed out.

We appreciate your understanding and will update you once we have more information.

Thanks

1
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 6 days ago #228040

Thanks for your patience.

The Imunify360 security team has resolved the false-positive issue. Please update your malware signatures and run a new scan. The file should no longer be flagged.

If you still encounter the detection after updating and rescanning, please let us know, and we'll investigate further.

0