[Defender] Suspicious file "wp-admin/core"

Hi,

I use Defender and regular File Scanning.

There appeared suspicious file "wp-admin/core" on our website. It has 166MB and no .extension

I ran File Scanning manually but it didn't detect this suspicious file.

Why?

And is this file malicious?

Thanks,
Jiri

  • Adam Czajczyk

    Hi Jiri

    How are you today!

    Thanks for opening a separate ticket about this. Since I was the one who discovered the file on your server and you recently provided me with an FTP access, I took a liberty of downloading that file and checking it.

    The file, apparently, is a so called "core dump". It's a "special" file that on some operating systems is created when some process(es) fail. For example, it might be some PHP process that failed and it literally "dumped" it's memory content directly to a file. I wasn't sure about that before but I double-checked that and this is the case.

    The good think about it is that it's completely harmless and will do nothing bad to the site. It can be safely removed and it won't affect the way the site works.

    However, I also tested Defender on it and I can confirm that it is not detected. In my opinion it should be and should be marked as "Unknown file in WordPress core" with an option to delete it.

    Having that said, I have already reported this as a bug to our developers so they could implement a fix for that detection in one of the future version of the plugin.

    There's also a question why it even got created. While that is not a Defender related thing, it's still worth checking. My suggestion would be: remove the file for now but keep an eye on the install to see that or similar file re-appears and if so, we'll try to find out why it gets created (or, rather, what part of the setup fails).

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.