[Bug] Imunify360 / ImunifyAV anti-malware has false positive for tracker_simpleImageTracker.php

[rr-it]

What happened?

The anti-malware solution IMUNIFY360 falsely recognizes tracker_simpleImageTracker.php as malware - and auto-deletes the file content.
https://github.com/matomo-org/matomo/blob/5.x-dev/misc/others/tracker_simpleImageTracker.php

What should happen?

Can the Matomo code-base be somehow monitored by IMUNIFY360 to catch such false-positives in advance?

How can this be reproduced?

Typ: File
Malicious: …/misc/others/tracker_simpleImageTracker.php
Reason: SMW-BLKH-SA-CLOUDAV-php.bkdr.gen-AUTO12-3
Status: Content removed

Matomo version

5.2.2

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

No response

Computer operating system

No response

Relevant log output

Validations

• Read our Contributing Guidelines.
• Follow our Security Policy.
• Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
• The provided steps to reproduce is a minimal reproducible of the Bug.

[ahmedzeidan]

Same issue happening here as ImunifyAV is detecting this file as a malware. Is it safe to ignore this until resolved?

[des-innocraft]

Hi @rr-it thank you for reporting this issue. Can you determined the exact reason why the file triggers the malware detection?

The file tracker_simpleImageTracker.php is a sample file anyway, it does not have any negative effect if the file is removed.

[ahmedzeidan]

Hello @des-innocraft I am getting the following reason in my ImunifyAV:

SMW-BLKH-SA-CLOUDAV-php.bkdr.gen-AUTO12-3

[sgiehl]

@ahmedzeidan that code is quite generic and indicates Imunify identifies the code as possible backdoor, which it clearly isn't. So we might need to find out, which part of the code looks suspicious to Imunify.
If one of you is keen to test that out, you could try to remove parts of the file content and check when the tool no longer detects the file as suspicious.
We are happy to apply tweaks if that would prevent that false positive detection. But as we don't use Imunify, we are unable to test that ourselves.

[ahmedzeidan]

Hi @sgiehl I commented the below code and it passes the scan with no issues:

// -- Matomo Tracking API init --
//require_once '../../vendor/matomo/matomo-php-tracker/MatomoTracker.php';
//MatomoTracker::$URL = 'http://localhost/matomo-master/';
// Example 1: Tracks a pageview for Website id = {$IDSITE}
//$trackingURL = Matomo_getUrlTrackPageView($idSite = 16, $customTitle = 'This title will appear in the report Actions > Page titles');

Happy to test further.

[rr-it]

Looking at the status-page https://imunify360.statuspage.io/ there was a similar issue with
SMW-BLKH-SA-CLOUDAV-php.bkdr.gen-AUTO12-*1*
https://imunify360.statuspage.io/incidents/fwjc720r6db4

---

Wild guess: This is triggered by any PHP-file with code similar to this on top:

<?php
require_once …
?>
<html>
…

As this looks like a go-to solution of how malwares infects files:

1. Find any file with php-extension which starts with <html>.
2. Insert the malware code above <html>.