New script which goes undetected.
https://ufile.io/jdkqk (exp 30 days)
Thanks for the file. This was a new variation of an old threat so I fixed the definition to match this variant and released a new definition update.
Please let me know if you find any more that I missed 
https://ufile.io/u2dha (exp 30 days)
I think this one is the backdoor that could not be found and was creating hear.php
Some observations / suggestions -
too many long strings are suspect — perhaps you can allow users to opt in to report some files directly to you via the scanner.
files without any comments are suspect (true in case of hear.php)
strings with multiple occurrences of strings like this on the same line — “].$”
the AV should use a file scanner so any new/modified files can be directly reported to you if found suspect
annual subscription allows instant updates (others will get it a week later) and daily background scanning
Thank you for your product and service!
Thanks again. I have added this new file to the definition update. Thanks too for the suggestions, I am also working on improvements and appreciate any and all feedback.
