A malware scanner has a unique risk that most software doesn't: it deliberately opens files that may contain attacker-written code. If a scanner tries to "unpack" obfuscated malware by executing it, the scanner itself becomes a way to run attacker code on your server. This is not hypothetical โ a 2025 vulnerability (CVE-2025-65530, CVSS 8.8) in another widely-used WordPress scanner did exactly this.
PowerSEC's design rule
The PowerSEC malware scanner analyses files using static pattern matching only. It:
- Reads file contents and matches them against fixed signatures with safe regular expressions.
- Never calls
eval(),create_function(),assert(),call_user_func(), or dynamic includes on anything it reads. - Never "deobfuscates by running" โ it detects obfuscation (e.g.
eval(base64_decode(...))) as a pattern, without ever executing it.
Because the scanner never executes the code it inspects, a malicious file on your server cannot trigger code execution inside the scanner โ no matter how it's crafted. This invariant is enforced in our code and verified on every release.