CLI misses malware reported by plugin

[cwgrote]

I ran Wordfence CLI on mydomain.com/wordfence/. The result was "Found 0 suspicious file(s) after processing 10935 file(s). I then signed into the Wordpress dashboard and ran the Wordfence plugin "scan". The scan reported 14 malicious files found. Without doing anything further on Wordpress I again ran Wordfence CLI on the same domain file structure. It again reported "Found 0 suspicious file(s) after processing 10935 file(s)". How can this be?

[akenion]

Right now, Wordfence CLI uses a different free signature set than the plugin which can result in different scan results. We are planning to reconcile these in the near future so results should match when equivalent scans are conducted using CLI and the plugin.

If you can provide the matching signatures from the plugin scan, I can confirm this is indeed the case, but this is most likely the cause of the difference in results you're seeing.

[akenion]

Wordfence CLI now uses the exact same signature sets as the Wordfence plugin so equivalent scans conducted with either should yield the same results. Signatures are cached for up to one day and will refresh automatically when the malware-scan command is run after the cached version expires. Alternatively, the --purge-cache option may be used to force a refresh of the signature set.