COMPLETED
Technical summary
EncFind was built for operational malware triage in PHP-centric hosting stacks. Its detection engine combines static signatures, contextual heuristics, and decode-to-execution chain analysis (for example base64_decode reaching eval) to assign a 0-100 risk score with explicit reasoning.
Implemented technical scope
- Python rewrite/enhancement of legacy
ecpp_2.plworkflow. - Multi-layer scoring:
- Context-aware detection to separate:
- Optional integrations:
- Output modes for mixed audiences:
- Export formats:
JSON,CSV,HTML. - Baseline and allowlist workflow for noise control.
- known webshell signatures, - dynamic execution heuristics, - decode-depth and execution sink reachability.
- executable code, - string/comment/simulation content.
- local YARA, - remote YARA (Abuse.ch), - VirusTotal hash lookups, - Wordfence CLI findings.
- simple, technical, executive.
Installation and requirements
# core runtime
python3 --version
# project dependencies
pip install -r requeriments.txt
# optional: wordfence cli
python3 -m pip install git+https://github.com/wordfence/wordfence-cli.git
Practical execution examples
1) Standard local scan
python3 encfind.py -d /home/user/public_html/
2) Full multi-engine scan
python3 encfind.py -d /home/user/public_html \
--vt --yara --wordfence --wordfence-accept-terms \
--export-html report.html
3) Strict production mode
python3 encfind.py -d /home/user/public_html/ --strict --only-actionable
4) Sensitive audit mode
python3 encfind.py -d /home/user/public_html/ --audit
Operational diagnostics delivered
- Risk-per-finding (0-100) with action-oriented severity.
- Decision-ready diagnosis text:
- Line-level evidence:
- urgent review, - monitor, - likely non-executable.
- dangerous function usage, - obfuscation/decode behavior, - decode depth, - YARA rule hits, - execution context.
Keys and integration strategy
- VirusTotal:
- Abuse.ch remote YARA:
- Wordfence:
- embedded keys or --vt-keys-file.
- embedded keys or --yara-keys-file.
- embedded keys or --wordfence-keys-file.
Initial Wordfence non-interactive setup:
wordfence configure -r -D
Incident-response operation model
- Run
--strict --only-actionablefor production first-pass triage. - Run
--auditduring deep investigation windows. - Export HTML for executive sharing and JSON/CSV for technical pipelines.
- Apply baseline/allowlist only after manual validation to avoid masking real threats.
Practical troubleshooting
# check runtime
python3 -V
# check dependencies
python3 -m pip list | grep -Ei 'yara|requests|wordfence'
# minimal test scan
python3 encfind.py -d /home/user/public_html/ --min-risk 50
Stack and tooling
- Python 3
- YARA
- VirusTotal API
- Wordfence CLI
- JSON/CSV/HTML exporters
Operational tags
- Python
- Malware Analysis
- Web Security
- YARA
- VirusTotal
Operational outcome
- Faster triage on large PHP codebases.
- Better evidence prioritization through score + reasons.
- Easier day-to-day adoption for hosting security operations.
GitHub progress (issues)
Real-time panel with latest repository issues.
live feed
open issues on GitHubcarregando andamento...
não foi possivel carregar as issues agora. abra no github pelo link acima.
Real results
Advanced malware and webshell scanner for hosting environments, combining signatures, heuristics, and decode-chain scoring for practical incident triage.
Architecture and organization
- Python 3
- Regex/Heuristics
- YARA
- VirusTotal API
- Wordfence CLI
- HTML/CSV/JSON Reporting
Execution and operations
The project follows reproducible execution flow with technical validation in production-like environments.
Screenshots
Talk about this project
Apply this implementation pattern in your environment and accelerate delivery with technical consistency.