Server-based scanning is when the server your WordPress site is located on initiates the scanning of malware using a script or an executable program.
The scanning script can be bash, perl, python or even PHP, and may utilize other executable programs on the server that are either native to the operating system, installed by the server administrator or compiled from source code.
An executable program will be pre-compiled and or compiled from source, are considered more performant due to being compiled into machine code versus scripting languages such as bash, perl and python as they need to be compiled during their execution.
ClamAV is a scanning engine, it requires signatures to be able to detect malware. If there are no signatures, then you can scan files but nothing will be detected. ClamAV comes with default signatures, you can also create your own signatures.
The detection of WordPress/PHP malware with ClamAV is dependent on having signatures that are updated frequently to include malware that is in the wild. There are free and paid ClamAV signatures available specific to WordPress/PHP malware.
Maldet, or Linux Malware Detect, is a malware scanner for Linux, created by R-FX Networks and is open source. You can run Maldet on its own or utilize ClamAV for better performance.
The signatures are generated by utilizing malware data sources provided by R-FX and by other sources; they utilize Network Edge IPS, Community Data, ClamAV data and User Submission.
The signature updates are frequent; Maldet hasn’t had its core updated since March 23, 2023.