Announcement

**alevchenko** · 06-19-2023, 01:37 PM

According to our devs, these are very general Extended Suspicious Signatures (ESUS) and suspicious does not always mean malware.

Extended suspicious signatures – signatures used for internal purposes to identify files that raise concerns about their legitimacy or safety. Attackers always trying to improve their hiding mechanisms. We are using extended suspicious signatures to reveal new hiding technologies as earlier as possible.

It would be useful if you could share how exactly this list of files is obtained – was it done through the command line and the imunify360-agent tool?
As far as I understand, those files and signatures are not reflected in the Imunify UI and this behaviour is expected because of the signatures' internal purpose only.

You as a customer should treat files detected by extended suspicious signatures as safe in most cases. We are using complex logic on our end to filter them out and produce verdicts SMW-/CMW-/CLOUDAV- verdicts as earlier as possible.

If you are concerned about the files you mentioned, it would be also good practice to keep an eye on the websites with the files marked with ESUS sigs – particularly, since it is a WordPress website, simply ensure the script and its components like themes and plugins are up to date. Any outdated and non-used components are better to be removed to avoid the possibility of a hacker using outdated files. e.g. other security tips are here: https://www.wpbeginner.com/wordpress-security/

**alevchenko** · 06-16-2023, 01:39 PM

Hi Petar,
According to our developers, these signatures have slightly different purposes than regular signatures verdicts described at https://docs.imunify360.com/faq_and_...classification
May I ask you to share where exactly you see the files marked with those? Would it be possible to share screenshots?

**petar.kozic** · 06-19-2023, 07:13 AM

I can't share screenshot but I can share some files:

Code:

/wp-content/themes/metrovibes-parent/js/shCore.js                                                             extended-suspicious.id_SMW-ESUS-13
/wp-content/themes/metrovibes-parent/js/jquery.carouFredSel.min.js                                            extended-suspicious.id_SMW-ESUS-13
/wp-content/themes/metrovibes-parent/theme_config/extensions/shortcodes/shortcodes/minigallery.php            extended-suspicious.id_SMW-ESUS-12
/wp-content/themes/metrovibes-parent/cache/min-js-7cbeb0c0d7bddad26d35629d635e8d67.js                         extended-suspicious.id_SMW-ESUS-13
/wp-content/themes/metrovibes-parent/framework/core/AJAX.php                                                  extended-suspicious.id_SMW-ESUS-5  
/wp-content/themes/metrovibes-parent/framework/core/INCLUDE.php                                               extended-suspicious.id_SMW-ESUS-12
/wp-content/themes/metrovibes-parent/framework/helpers/GENERAL.php                                            extended-suspicious.id_SMW-ESUS-5  
/wp-content/themes/metrovibes-parent/framework/BootsTrap.php                                                  extended-suspicious.id_SMW-ESUS-12
/wp-content/themes/metrovibes-child/composer.json                                                             extended-suspicious.id_SMW-ESUS-12
/wp-content/themes/metrovibes-child/vendor/composer/autoload_real.php                                         extended-suspicious.id_SMW-ESUS-12  [

If I manually check files, everything looks good and without malware code.
Thank you

**alevchenko** · 06-19-2023, 01:37 PM

According to our devs, these are very general Extended Suspicious Signatures (ESUS) and suspicious does not always mean malware.

Extended suspicious signatures – signatures used for internal purposes to identify files that raise concerns about their legitimacy or safety. Attackers always trying to improve their hiding mechanisms. We are using extended suspicious signatures to reveal new hiding technologies as earlier as possible.

It would be useful if you could share how exactly this list of files is obtained – was it done through the command line and the imunify360-agent tool?
As far as I understand, those files and signatures are not reflected in the Imunify UI and this behaviour is expected because of the signatures' internal purpose only.

You as a customer should treat files detected by extended suspicious signatures as safe in most cases. We are using complex logic on our end to filter them out and produce verdicts SMW-/CMW-/CLOUDAV- verdicts as earlier as possible.

If you are concerned about the files you mentioned, it would be also good practice to keep an eye on the websites with the files marked with ESUS sigs – particularly, since it is a WordPress website, simply ensure the script and its components like themes and plugins are up to date. Any outdated and non-used components are better to be removed to avoid the possibility of a hacker using outdated files. e.g. other security tips are here: https://www.wpbeginner.com/wordpress-security/

**petar.kozic** · 06-21-2023, 07:10 AM

Thank you alevchenko on response.

Announcement

What mean type of suspicious file SMW-ESUS-*

What mean type of suspicious file SMW-ESUS-*

Comment

Comment

Comment

Comment

Comment