Resolving False Positive Virus Alerts in EWWW Image Optimizer

Many users of the EWWW Image Optimizer plugin have encountered alarming notifications from server antivirus scanners, web hosts, or security plugins flagging its files as malware. This article explains why this happens and what you can do to resolve it.

Why Am I Getting a Virus Warning?

The files being flagged are almost always the plugin's binary tools (like optipng.exe, cwebp-linux, gifsicle-linux, etc.). These are command-line utilities required for the plugin's core image optimization functions. The alerts are false positives generated by antivirus software, particularly ClamAV and scanners that use its definitions.

These false alarms occur for a few key reasons:

• Heuristic Scanning: Antivirus programs often use heuristic analysis to detect potential threats based on behavior patterns. Since these binaries are compiled executables that perform system-level operations (compressing images), they can sometimes trigger these heuristic rules incorrectly. Detection names containing "HEUR" (e.g., php_malware.id_SMW-HEUR-ELF) are a clear sign of a heuristic-based false positive.
• Outdated Virus Definitions: The EWWW Image Optimizer team has confirmed that ClamAV has a history of incorrectly flagging their files with signatures like Win.Adware.Softpulse-215 and Unix.Malware.Agent-1760567. While ClamAV eventually fixes these errors, web hosts and servers using slightly outdated definition databases may still generate the alerts.
• Source of the Files: The source code for these binaries comes from reputable projects like Google's libwebp (for cwebp) and others. The plugin author compiles some of them to ensure compatibility. The plugin also includes integrity checks, verifying the MD5 hash of these binaries before execution to ensure they have not been tampered with.

How to Resolve the Issue

If your host or scanner has flagged a file, here are the most effective steps to take.

1. Verify the File Integrity

You can manually check the MD5 hash of the flagged binary to confirm it matches the official version provided by the plugin. This can provide peace of mind that the file is legitimate and has not been modified. The expected MD5 hash for files is often found within the plugin's main source file (ewww-image-optimizer.php). For example, the hash for a common flagged file, optipng.exe, is e3d154829ea57a0bdd88b080f6851265.

2. Contact Your Web Host

This is the most effective long-term solution. Politely inform your hosting provider that their malware scanner is generating a false positive. You can reference support threads where other major hosts, like 1&1, have investigated and confirmed the alerts were false and subsequently updated their systems. Encouraging them to update their ClamAV definitions or whitelist the known-good EWWW Image Optimizer binaries will resolve the issue for you and their other customers.

3. Temporarily Disable WebP Conversion (If Needed)

If the flagged file is cwebp-linux (or similar) and you do not use WebP image conversion, you can temporarily disable that feature within the plugin's settings. This will prevent the plugin from attempting to use that binary. However, this is not a fix for the underlying false positive issue.

4. Wait for Definition Updates

In many cases, as seen in the sample threads, the antivirus companies themselves release updates to correct these false positives. If the alert suddenly appeared and then disappeared a day or two later without any action on your part, this is likely what happened. Your server's definitions were automatically updated.

Conclusion

Virus alerts on EWWW Image Optimizer files are a common and well-documented occurrence rooted in false positives from overzealous heuristic scanners and outdated virus definitions. The files themselves, obtained from reputable sources and integrity-checked by the plugin, are safe. The recommended course of action is to verify the file hashes for your own confidence and then contact your web host to report the false positive, prompting them to update their systems.