Imunify 360 Flags Helix Ultimate's Default Php As Malware - Question | JoomShaper

Imunify 360 Flags Helix Ultimate's Default Php As Malware

R

Robert

Helix Framework 1 week ago

Imunify 360 flags Helix Ultimate's default php as malware — how to fix it

The problem: Imunify 360 (running on many Plesk/cPanel hosts) sometimes flags this file as malicious: plugins/system/helixultimate/overrides/com_content/article/default php

The detection signature is usually something like: SMW-BLKH-SA-CLOUDAV-php bkdr drpr

When this happens, Imunify quarantines or deletes the file, and your Joomla articles stop displaying properly on the frontend.

Important context:

  • mySites.guru does NOT flag this file as malware* — because it isn't
  • The file is legitimate JoomShaper code, GPL-licensed
  • The detection appears to be a false positive on Imunify's signature database. How to fix it (safe method):
  1. Verify it's the real file — download the latest Helix Ultimate Framework fresh from joomshaper.com, and optionally scan the zip with Bitdefender, VirusTotal, or another AV. And claude ai. If it comes back clean, you're good.
  2. Add the file path to Imunify's ignore/whitelist. BEFORE reinstalling:
  • In Plesk → Security → ImunifyAV / Imunify360
  • Find the detection in History or Quarantine
  • Add path to Ignore List
  1. Reinstall Helix Ultimate through Joomla admin:
  • System → Install → Extensions
  • Upload the fresh Helix Ultimate plugin
  • Wait for "Installation successful"
  1. Test: open your homepage, click an article, verify frontend loads correctly. 5.Verify persistence: wait 10 minutes and check via FTP that the file still exists on the server. If Imunify deleted it again, revisit the whitelist step.

Why this happens: Complex PHP template code that dynamically generates HTML output (like Helix does) sometimes trips generic malware signatures. Commercial AV scanners occasionally match on patterns that look suspicious in isolation but are perfectly normal in context. This is a known trade-off of aggressive signature-based scanning.

Bottom line: If you see this detection, don't panic — but do verify. Download the file fresh from the official source, cross-check with another scanner, whitelist the path, and reinstall. If a second-opinion scanner (mySites.guru, VirusTotal, Bitdefender) all come back clean, you're dealing with a false positive. If you're not sure whether it's a false positive on your site (e.g. your site was recently compromised), you can also check the flagged file directly by comparing it with the copy inside a freshly-downloaded Helix Ultimate zip. If they match byte-for-byte, the file is clean.

Or ask your host to check the file when your not sure.

Quick database check after a suspected Joomla hack

Even after cleaning malicious files, attackers sometimes leave traces in the database. Three quick SQL queries in phpMyAdmin will tell you if anything is left behind.

Log into phpMyAdmin via your hosting panel → select your Joomla database → open the SQL tab. Run these three checks (use your actual database prefix from configuration file)

1.List all users, sorted by registration date. Watch for emails ending in ‘secure local, usernames like webmanager + a number, or accounts you don't recognise — typical signs of the SP Page Builder zero-day and similar attacks.

  1. List all accounts in the Super Users group. Ideally, only your own account appears here.

3.List all "Remember me" auto-login tokens. Each row here allows automatic login without a password — anything you didn't create is suspect.

If all three come back with only your own account and expected activity, combined with clean file scans, that's strong evidence the attacker didn't establish persistence.

0
8 Answers
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227845

Hi,

Thank you for the report.

We have verified that the default.php file included with the official Helix Ultimate package is legitimate and does not contain any malicious code. Based on our investigation, this appears to be a false positive from Imunify360 caused by its detection signatures.

As a temporary workaround, please exclude this file from Imunify360 (or stop scanning it) to prevent it from being quarantined or modified. We are also reaching out to the Imunify team to clarify the detection and will provide an update as soon as we have more information.

Thank you for your understanding.

0
R
Robert
Accepted Answer
1 week ago #227846

I have whitelisted the file for now.

The last weeks most of us all have stepped from from designers to website security :) Actually not a bad thing..

Let's hope the next wave of zero days doesn't involve JS..

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227850

We hope so.

Thanks

0
C
copycat
Accepted Answer
1 week ago #227854

The next wave of zero‑day attacks will absolutely include Joomla, Helix, SP Page Builder, and many other widely used Joomla components. The reason is simple: Joomla has fallen from one of the strongest CMS platforms to the 6th or 7th place, largely because of its complicated upgrade process — from the core CMS all the way down to templates, components, and plugins.

We’ve already seen what happens when something breaks, like the recent Helix 3 issues. Nothing is compatible with anything. The template collapses, dozens of errors appear during upgrades, you update SP Page Builder and the entire website layout breaks, you update Joomla and suddenly another extension stops working. It’s endless.

People didn’t stay on Joomla 3 out of comfort or laziness. They stayed because upgrading to Joomla 4 requires new components, new plugins, a new template, a new SP Page Builder version — essentially, you have to charge the client as if you’re building a brand‑new website. And same story with Joomla 5 which again is not a simple one‑click upgrade but a chain of changes, fixes, and compatibility adjustments. Then Joomla 6 the same story. In just a few years we’ve gone from Joomla 3 to Joomla 6. Who can afford to pay hundreds of euros every few months for upgrades, especially for large and complex websites?

I maintain both Joomla and WordPress websites. WordPress updates automatically without breaking the homepage, menus, or layout. The same goes for plugins — they update smoothly. Try doing that in Joomla. Just the other day I updated Helix 3 from 3.1.1 to 3.1.2 and the homepage crashed instantly.

The point is: there are thousands of Joomla websites on the web that are outdated and unmaintained simply because maintenance is expensive. We are not careless — clients cannot or do not want to pay for constant upgrades. And how do you explain to a client that they must pay several hundred euros every few months just to keep their site updated?

Everyone else in the industry has spent years simplifying things, while the Joomla ecosystem kept demanding that a web designer also be a Linux server administrator, an Apache/PHP technician, and a cybersecurity specialist. When I talk to colleagues who work exclusively with WordPress, they have absolutely no idea what I’m talking about — nor do they understand the kind of stress I’m under when I need to upgrade something as simple as a page builder from version 6.1.1 to 6.6.2.

For them, an update is a non‑event. For us, it’s a potential disaster.

So yes, attacks on Joomla will continue, just like attacks on all its components, plugins, and frameworks. The ecosystem practically invites it.

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227855

Hi Copycat,

Thank you for taking the time to share your thoughts. We understand your concerns, and we know that major CMS upgrades can be challenging, especially for large, long-running websites.

At JoomShaper, our goal is to make upgrades as smooth and reliable as possible. Whenever issues are reported, we investigate them, provide fixes, and continuously improve compatibility with the latest Joomla releases. We also recommend testing updates on a staging environment before applying them to a production website, particularly for complex sites with multiple third-party extensions.

Regarding Helix Framework and SP Page Builder, we are actively maintaining both products to ensure compatibility with supported Joomla versions. If you encounter any specific issue during an update, please open a support ticket with your Joomla version, Helix/SP Page Builder version, and any error details. Our team will be happy to investigate and help you resolve it.

We truly appreciate your feedback. It helps us identify areas where we can continue improving the upgrade experience for everyone.

Thank you for your continued support.

0
R
Robert
Accepted Answer
1 week ago #227862

I don’t fully agree with this.

I’ve seen plenty of WordPress sites that haven’t been updated for years either. There are enough online tools to check that. Some of them were built by large web agencies, not freelancers. Outdated websites are not a Joomla-only problem.

Also, saying clients have to pay for maintenance doesn’t really support your argument. If every update turns into a major bill, either the maintenance agreements weren’t set up properly from the beginning, or you’re working with clients who don’t value maintaining their own business. A website is no different from a car—you maintain it when it needs maintenance. That’s as much a business issue as it is a technical one.

Joomla certainly had a difficult transition from J3 to J4, and some extensions made that much worse. But claiming that the ecosystem “invites” zero-days because upgrades can be difficult is a stretch. Security vulnerabilities and the ease of upgrading are related, but they’re not the same thing.

WordPress isn’t immune either. Plugin conflicts, abandoned themes, outdated page builders, and unsupported plugins are common there as well. The difference is that WordPress has a much larger ecosystem, so people tend to overlook those problems.

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 1 week ago #227875

Hi Robert,

Thank you for sharing your perspective. We appreciate your balanced view.

You're right that keeping websites up to date is not a Joomla-specific challenge. Every CMS has its own maintenance and security considerations, and regular updates are an important part of keeping any website secure and stable.

We also agree that security vulnerabilities and the upgrade experience are related but not the same issue. Our team is committed to continuously improving both the reliability of our products and the overall update experience, while responding quickly whenever security issues are identified.

Thank you again for contributing to the discussion and for your continued support.

Best Regards,

0
Ziaul Kabir
Ziaul Kabir
Accepted Answer
Support Agent 6 days ago #228039

Thanks for your patience.

The Imunify360 security team has resolved the false-positive issue. Please update your malware signatures and run a new scan. The file should no longer be flagged.

If you still encounter the detection after updating and rescanning, please let us know, and we'll investigate further.

0